Re: [Very OT] IIS Basic Authentication can be used for phishing

To: debian-user@lists.debian.org
Subject: Re: [Very OT] IIS Basic Authentication can be used for phishing
From: William Ballard <nospam_40811@alltel.net>
Date: Wed, 10 Nov 2004 02:25:33 -0500
Message-id: <[🔎] 20041110072533.GA16500@alltel.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 4191BFB4.2020601@upaya.co.uk>
References: <[🔎] 20041110064836.GA15866@alltel.net> <[🔎] 4191BFB4.2020601@upaya.co.uk>

On Wed, Nov 10, 2004 at 07:13:56AM +0000, Upayavira wrote:
> >
> How is this different from Apache's basic authentication, which I 
> believe also passes user/pass information as plain text?
> 
> You should use SSL with Apache too.

Yeah, isn't the Security hole actually in IE, which gives up
your username/password to anybody who asks for it so long as
you press okay at that dialog?  Firefox wouldn't do that.

Seems like a pretty easy way to Phish.  The problem is actually
in the behavior of IE.

I haven't tested it.  It's too obvious a gaping hole.  I must
be overlooking something.

Reply to:

References:
- [Very OT] IIS Basic Authentication can be used for phishing
  - From: William Ballard <nospam_40811@alltel.net>
- Re: [Very OT] IIS Basic Authentication can be used for phishing
  - From: Upayavira <uv@upaya.co.uk>

Prev by Date: Re: Redirecting stdout and stderr into a file
Next by Date: Re: Video card recognition
Previous by thread: Re: [Very OT] IIS Basic Authentication can be used for phishing
Next by thread: Re: [Very OT] IIS Basic Authentication can be used for phishing
Index(es):
- Date
- Thread