[4173] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (John Gervasi - Loral - X1468)
Wed Jan 29 10:25:43 1997
Date: Wed, 29 Jan 1997 08:41:08 -0500
From: gervasi@manassas1.tds-gn.lmco.com (John Gervasi - Loral - X1468)
To: www-security@ns2.rutgers.edu, Paul@icbl.hw.ac.uk
Errors-To: owner-www-security@ns2.rutgers.edu
I don't know why there is so much concern for allowing password changing =
over=20
the net, assuming you mean server access password control for browsers. =
We use=20
SSL in conjunction with a Netscape Enterprise server where we have =
substituted=20
our own user authentication routine (Sybase connectivity) as an NSAPI. =20
Passwords are sent encrypted and the user has no ability of spoofing the =
plugin.=20
If you need more info on how this works send me email.
MY COORDINATES:
John J. Gervasi
Engineering Support Manager
Global Transportation Network Project
=20
Lockheed Martin=20
9255 Wellington Road, Building 102
Manassas, Virginia 20110-4121
=20
work 703.367.2534
fax 703.367.1076
beeper 703.233.6331
e-mail john.j.gervasi@lmco.com
or gervasi@manassas1.tds-gn.lmco.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Remember, life is what happens to you while
you were hoping for other results. :-)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> From owner-www-security@ns2.rutgers.edu Wed Jan 29 02:09:32 1997
> To: www-security@ns2.rutgers.edu
> From: Paul Rattray <Paul@icbl.hw.ac.uk>
> Subject: Re: adduser web page
>=20
> A bit harsh David.=20
>=20
> If the original author wants to have a go at changing passwords over =
the
> web, then lets just point out security reasons that he should be aware =
of.
> It is his choice to do it or not.
>=20
> Personally though, I would avoid it if possible unless the network is =
secure
> ie IP across the building, not the country.
>=20
> Paul
>=20
>=20
> At 12:49 27/01/97 -0800, you wrote:
> >
> >
> >On Sun, 26 Jan 1997 nella@asis.com wrote:
> >
> >> Is there any reason why it would not be possible to securely allow =
users to
> >> change their passwords via a web page and cgi script? Does anyone =
know if
> >> such a script already exists?
> >
> >Passwords for what??? Access to the web site? Or general system =
password?
> >
> >In general, you would NOT want to use an unsecured WWW transaction=20
> >to change a password. Certainly NEVER for a password the user might
> >use for system login access. There are other exposures since your CGI
> >program would have to act with sufficient priviledges to change the
> >password on behalf of the user.
> >
> >In summary, since you had to ask the question, you probably don't =
have
> >easy access to the skills required to implement a secure solution and
> >perform the necessary risk acessment, etc. Therefore I would conclude
> >that you shouldn't do it.
> >
> >Dave Morris
> >
> >
> >
>=20
