[4633] in WWW Security List Archive
Re: changing passwords
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Mon Mar 3 13:10:30 1997
From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
Date: Mon, 3 Mar 97 07:37:55 -0800
To: "Piotr Jakubczak" <pj@zigzag.pl>
cc: <www-security@ns2.rutgers.edu>
Reply-To: dennis.glatting@plaintalk.bellevue.wa.us
Errors-To: owner-www-security@ns2.rutgers.edu
> From: "Piotr Jakubczak" <pj@zigzag.pl>
> Date: Mon, 3 Mar 1997 02:09:29 +0100
>
> Hello!
>
> Being an administrator for an ISP I've always had many clients
> requesting some Web interface for changing passwords. I guess
> with SSL it would be secure enough.
>
If you are not using client certificates or a shared key SSL
mechanism then, no, it is not. See the Web spoofing paper at
http://www.cs.princeton.edu/sip/.
> And anyway, clients don't have too many rights or privilages on
> my machines so I don't really care. I could not, however, find
> any way to make something like that possible. I talked to
> Microsoft about it and they said it's impossible to implement
> such interface as NT security system is designed in the way that
> won't allow such thing! Well, I thought they knew what they were
> saying and got convinced. Lately however I've been shocked to
> find that a fellow admin wrote some short program to perform
> exactly what I need. Unfortunatelly he's working for our No 1
> competitor in this city, so he won't share it with me. :)
>
> Does anybody have any idea how it could be done?
>
-dpg
