[Zope] browser security
Timothy Wilson
wilson@visi.com
Tue, 4 Jan 2000 14:44:12 -0600 (CST)
On Tue, 4 Jan 2000, Brian Lloyd wrote:
> I don't believe that the username:password part of the url
> ever actually go out on the wire - my understanding of this
> is that IE (or other browsers that support this construct)
> just accept this as a convenient shorthand and that they
> remove the username/pw and send it in a header as usual...
>
> As far as cracking tools, I can't imagine how this would
> have any impact one way or the other - it's really just
> a client convenience.
I guess it just seems easy to imagine a cracking tool like John the Ripper
that would start trying to guess passwords using the
http://user:password@site.com/
than messing around with headers in the http packets. But I'm not a
programmer. I may very well be overestimating the risk.
-Tim
--
Timothy Wilson | "The faster you | Check out:
Henry Sibley H.S. | go, the shorter | http://slashdot.org/
W. St. Paul, MN, USA | you are." | http://linux.com/
wilson@visi.com | -Einstein | http://www.mn-linux.org/