User: Password:
|
|
Subscribe / Log in / New account

Cryptographic splicing makes for a Wordpress vulnerability

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 7:53 UTC (Thu) by ekj (guest, #1524)
Parent article: Cryptographic splicing makes for a Wordpress vulnerability

You don't have to authenthicate on every page without cookies. HTTP:Basic authenthication is
implemented in such a way in browsers that they ask only once for username and password for a
site, aslong as subsequent pages use the same Authenthication-realm, the same username and
password is authomatically reused.

Yes, technically this means your BROWSER authenthicates every request, but you the USER don't
see this and aren't inconvenienced by it.

You do need to reauthenthicate if you close and reopen your browser though, cookies can
prevent that, if desired.


(Log in to post comments)

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 11:02 UTC (Thu) by epa (subscriber, #39769) [Link]

One of the biggest favours the Firefox developers could do for the web would be to make basic
http authentication more pretty and user-friendly, perhaps allowing a username/password widget
to be embedded in a web page and styled with CSS, so that web site authors would use it
instead of developing their own cookie-based monstrosities.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 15:53 UTC (Thu) by felixfix (subscriber, #242) [Link]

How would that help?  Wouldn't it only work for browsers that implement that particular
extension to HTML/CSS?

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 16:04 UTC (Thu) by TRS-80 (subscriber, #1804) [Link]

REST based authentication is a in-depth study on how to make HTTP authentication more friendly, in part by using AJAX to log in via a normal HTML form and various apache config tricks. But really W3C should fix HTTP authentication so there's no need to use these sorts of egregious hacks - for example, you have to implement challenge-response yourself in JavaScript and phishing becomes a problem.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 16:23 UTC (Thu) by bronson (subscriber, #4806) [Link]

And add the ability to log out!  What did the HTTP devs think, that nobody ever wanted to
share a computer?

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 18:52 UTC (Thu) by martinfick (subscriber, #4455) [Link]

That would probably be a browser implementation issue wouldn't it?  File a bug against your
browser if it does not allow this.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 19:36 UTC (Thu) by bronson (subscriber, #4806) [Link]

Can you name a browser implementation that does work?

Many bugs have been filed, and there's endless discussion only a google search away, but
there's been zero forward progress.

Opened 2004: https://bugzilla.mozilla.org/show_bug.cgi?id=260186
Opened 2001: https://bugzilla.mozilla.org/show_bug.cgi?id=68409

Since it's broken, nobody uses it, and nobody's interested in fixing it, I suppose HTTP Auth
should just be deprecated.  Cookie-based auth is awful, but it does work and people do use it.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 21:18 UTC (Thu) by martinfick (subscriber, #4455) [Link]

Can you name a browser implementation that does work?

Yes, konqueror. It stores this info in the kde wallet system, the wallet system will allow you to remove entries from it.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 3:01 UTC (Fri) by bronson (subscriber, #4806) [Link]

That just forgets your password, right?  It doesn't actually allow you to log out.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 4:19 UTC (Fri) by evanp (subscriber, #50543) [Link]

Subsequent HTTP requests cause your browser to prompt you to login, so yes, you are indeed
"logged out" in that sense. The server isn't notified, though, which might be what you were
asking about.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 21:35 UTC (Thu) by martinfick (subscriber, #4455) [Link]

Also, with mozilla you can simply insert a new username@ after the ":" of your protocol like
this "http://bogus@site.com" and it will then proceed to prompt you for a username & password.
Now you can enter your original username and a bogus password which it will now remember.
Yes, this is a hack, but it will do what you want.  There may be a better method, but that is
what I came up with quickly.  I was surprised that it was not stored under the password tab in
the options menus.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 15, 2008 11:13 UTC (Thu) by endecotp (guest, #36428) [Link]

> Can you name a browser implementation that does work?

I believe that the old "Mozilla Suite" added an HTTP Auth logout button just-too-late for it
to end up in firefox.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds