[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] NO-IP service Flaw
From:       Valdis.Kletnieks () vt ! edu
Date:       2009-01-27 16:57:51
Message-ID: 21065.1233075471 () turing-police ! cc ! vt ! edu
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Tue, 27 Jan 2009 00:41:59 GMT, infolookup@gmail.com said:
> What if you are sniffing the traffic for any http session the information is 
> submitted in clear text.

If you're traffic sniffing, you'll see the data whether it's GET or POST.
The distinction becomes important for things like http proxies and things
that log/remember URLs - it's somewhat bad form to leave a userid/password
sitting right there in the browser 'recent URLS' list or in a logfile someplace.

If you're passing the data in the URL, at best it can be obfuscated and
reversed fairly easily (unless you've got enough Javascript to pop open a
dialog window and use an entered value as a salt for encrypting before
transmission).

Yes, the proper thing to do here is a POST over https.

Personally, I'm surprised that a frikking *domain registrar* is that clueless
about basic security (the *biggest* issue in what would otherwise be a pretty
minor vulnerability).

Or maybe I'm not, actually..  I wonder what *else* they got wrong?

[Attachment #5 (application/pgp-signature)]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]