Return-Path: Received: from ensim.rackshack.net (root@localhost) by orafaq.net (8.11.6/8.11.6) with ESMTP id h0GHid131336 for ; Thu, 16 Jan 2003 11:44:39 -0600 X-ClientAddr: 209.68.248.164 Received: from newsfeed.cts.com (newsfeed.cts.com [209.68.248.164]) by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h0GHidp31331 for ; Thu, 16 Jan 2003 11:44:39 -0600 Received: from fatcity.UUCP (uucp@localhost) by newsfeed.cts.com (8.9.3/8.9.3) with UUCP id GAA74721; Thu, 16 Jan 2003 06:26:50 -0800 (PST) Received: by fatcity.com (26-Feb-2001/v1.0g-b72/bab) via UUCP id 005311A8; Thu, 16 Jan 2003 04:53:54 -0800 Message-ID: Date: Thu, 16 Jan 2003 04:53:54 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: "MacGregor, Ian A." Sender: root@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: "MacGregor, Ian A." Subject: Passwords and Web Servers. Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 72; ListGuru (c) 1996-2001 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-type: text/plain Content-transfer-encoding: 7BIT It was demonstrated to me recently that if one used "NT" authentication with a non-IE browser one's NT password was available to the writer of the ASP script. Encryption between the browser and server is inmaterial. The password has already been decrypted. If one used IE then credentials rather than passwords are sent. If harvesting passwords is available with IIS, why can it not be done with 9iAS? Ian MacGregor Stanford Linear Accelerator Center ian@SLAC.Stanford.edu -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: MacGregor, Ian A. INET: ian@SLAC.Stanford.EDU Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).