[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b



At 05:46 PM 12/18/95 -0800, Rich Graves wrote:
>Except for the bit about the file not being deleted after quitting
>Netscape (which is Bad), this is old news. This is why security-conscious
>sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted
>form rather than via simple browser authentication. 

On a related note, how does Netscape (or HTTP in general) authenticate using
the password? My best guess, without a sniffer, is (making up error codes as
I go along, but you get the point):

        Browser Sends: GET ...
        Server Replies:  4xx (3xx? 2xx?) Sorry. I need authentication.
        Browser (after querying user): GET along with user-name/password
        Server: ...whatever the page is...

Given that, what allows me to go on and see other (protected) pages on the
same server without being re-prompted? Is it a similar conversation to the
one above or does the browser broadcast the password on every subsequent
request? I cannot ascertain the behavior by going to another site protected
by a different password. Either one is possible. What I'm hoping happens
with multiple sites is:

        Browser Sends: GET ...
        Server Replies:  4xx (3xx? 2xx?) Sorry. I need authentication.
        Browser (after querying user): GET along with user-name/password
        Server: ...whatever the page is...
     (1)Browser (to a different server): GET ...
        Server2:  4xx (3xx? 2xx?) Sorry. I need authentication.
        Browser: user-name/password cached from before
        Server2:  4xx (3xx? 2xx?) Sorry. That's not it. I need authentication.
     (2)Browser (after re-querying user): GET user-name2/password2
        Server: ...whatever the page is...

The broadcast option would change (1) to (2) above to:

     (1)Browser (to a different server): GET along with user-name/password
        Server2:  4xx (3xx? 2xx?) Sorry. (That's not it?) I need authentication.
     (2)Browser (after re-querying user): GET user-name2/password2

Admittedly, the second one is more optimal, but does this mean it would
broadcast the user/passwd to every site? Even the first option winds up
sending wrong passwords to other servers. Does the browser re-prompt if it
detects a new IP address or a different sub-tree of the same server?

Anyway, lots of conjecture (sp?) here. Does anyone know how it really works
or can point me at a reference? Thanks.

					Karl