| |||||||||||||
Cryptographic splicing makes for a Wordpress vulnerabilityCryptographic splicing makes for a Wordpress vulnerabilityPosted May 8, 2008 11:02 UTC (Thu) by epa (subscriber, #39769)In reply to: Cryptographic splicing makes for a Wordpress vulnerability by ekj Parent article: Cryptographic splicing makes for a Wordpress vulnerability
One of the biggest favours the Firefox developers could do for the web would be to make basic http authentication more pretty and user-friendly, perhaps allowing a username/password widget to be embedded in a web page and styled with CSS, so that web site authors would use it instead of developing their own cookie-based monstrosities.
(Log in to post comments)
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 15:53 UTC (Thu) by felixfix (subscriber, #242) [Link] How would that help? Wouldn't it only work for browsers that implement that particular extension to HTML/CSS?
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 16:04 UTC (Thu) by TRS-80 (subscriber, #1804) [Link] REST based authentication is a in-depth study on how to make HTTP authentication more friendly, in part by using AJAX to log in via a normal HTML form and various apache config tricks. But really W3C should fix HTTP authentication so there's no need to use these sorts of egregious hacks - for example, you have to implement challenge-response yourself in JavaScript and phishing becomes a problem.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 16:23 UTC (Thu) by bronson (subscriber, #4806) [Link] And add the ability to log out! What did the HTTP devs think, that nobody ever wanted to share a computer?
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 18:52 UTC (Thu) by martinfick (subscriber, #4455) [Link] That would probably be a browser implementation issue wouldn't it? File a bug against your browser if it does not allow this.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 19:36 UTC (Thu) by bronson (subscriber, #4806) [Link] Can you name a browser implementation that does work? Many bugs have been filed, and there's endless discussion only a google search away, but there's been zero forward progress. Opened 2004: https://bugzilla.mozilla.org/show_bug.cgi?id=260186 Opened 2001: https://bugzilla.mozilla.org/show_bug.cgi?id=68409 Since it's broken, nobody uses it, and nobody's interested in fixing it, I suppose HTTP Auth should just be deprecated. Cookie-based auth is awful, but it does work and people do use it.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 21:18 UTC (Thu) by martinfick (subscriber, #4455) [Link] Can you name a browser implementation that does work? Yes, konqueror. It stores this info in the kde wallet system, the wallet system will allow you to remove entries from it.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 9, 2008 3:01 UTC (Fri) by bronson (subscriber, #4806) [Link] That just forgets your password, right? It doesn't actually allow you to log out.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 9, 2008 4:19 UTC (Fri) by evanp (subscriber, #50543) [Link] Subsequent HTTP requests cause your browser to prompt you to login, so yes, you are indeed "logged out" in that sense. The server isn't notified, though, which might be what you were asking about.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 8, 2008 21:35 UTC (Thu) by martinfick (subscriber, #4455) [Link] Also, with mozilla you can simply insert a new username@ after the ":" of your protocol like this "http://bogus@site.com" and it will then proceed to prompt you for a username & password. Now you can enter your original username and a bogus password which it will now remember. Yes, this is a hack, but it will do what you want. There may be a better method, but that is what I came up with quickly. I was surprised that it was not stored under the password tab in the options menus.
Cryptographic splicing makes for a Wordpress vulnerability Posted May 15, 2008 11:13 UTC (Thu) by endecotp (guest, #36428) [Link] > Can you name a browser implementation that does work? I believe that the old "Mozilla Suite" added an HTTP Auth logout button just-too-late for it to end up in firefox.
|
|||||||||||||