security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Oct 23 17:28:39 UTC 2006
See below:
Dick Hardt wrote:
> On 23-Oct-06, at 4:47 AM, James A. Donald wrote:
>
>
>> Dick Hardt wrote:
>>
>>> Perhaps we can discuss this from another point of
>>> view. Why should I need SSL on a blog I am writing a
>>> comment on when all the data I provide the blog will
>>> be published and public anyway? An attacker is not
>>> going to see anything more on the HTTP connection then
>>> they would on the blog?
>>>
>> If he sees your users login information, there is a
>> problem.
>>
>
> Not if he is seeing the results. Obviously if the attacker sees the
> users username and password there is a problem.
>
And even more obvious, a homesite would give you options to change the
password and/or personal details...Other sites might have other details
to show in the "personal user area". And yes, there is a huge problem!
BTW, with today's spam on forums, which includes URL postings and
sending mail messages to members, this even is already a problem at this
low-profile sites...
Therefore: Bad design will always hurt and insecurity by design even
more...It doesn't matter, if the login is a blog or payment site, both
have the right and interest on reasonable protection, otherwise it
simply will not stick....
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/a7410071/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/a7410071/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/a7410071/attachment-0002.bin>
More information about the general
mailing list