http password
Dar Scott
dsc at swcp.com
Fri Feb 13 14:56:12 EST 2004
On Friday, February 13, 2004, at 12:23 PM, Alex Rice wrote:
> ...a recently-discovered flaw in the way that IE parses URLs allows
> scam artists to completely replace Web URLs that use the
> username:password@ formatting with a URL of their choosing, regardless
> of which Web page is actually displayed in IE.
There is a related weakness in SSL and this might aggravate it. SSL
will help assure that the other guys are who they say they are but does
nothing to connect who they say they are to who you think they are.
The closest thing is the user looking at the URL.
Fortunately, specialized browsers can do some checking that should help
a lot. I hope that the upcoming SSL capability includes the ability to
see some or most fields from the presented certificate. This will
allow Revolution apps to fill an important niche.
Dar Scott
More information about the use-livecode
mailing list