|
 |
dissabte, 29 / octubre / 2005 |
[PC World] A Peek at IE7's New Security. A la propera versió de l'Internet Explorer, el protocol SSLv2 estarà deshabilitat i, per defecte, només ho estaran SSLv3 i TLS 1.0. Així ho expliquen al weblog de l'Internet Explorer: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2.
User Experience changes
Whenever IE6 encountered a problem with a HTTPS-delivered webpage, the user was informed via a modal dialog box and was asked to make a security decision. IE7 follows the XPSP2 “secure by default” paradigm by defaulting to the secure behavior.
Most importantly, IE7 will block navigation to HTTPS sites that present a digital certificate that has any of the following problems:
- Certificate was issued to a hostname other than the current URL’s hostname
- Certificate was issued by an untrusted root
- Certificate is expired
- Certificate is revoked
Upon encountering a certificate problem, IE7 presents an error page that explains the problem with the digital certificate. The user may choose to ignore the warning and proceed in spite of the certificate error (unless the certificate was revoked). If the user clicks through a certificate error page, the address bar will floodfill with red to serve as a persistent notification of the problem.
In addition, users will no longer see the so-called Mixed-Content prompt, which read: This page contains both secure and nonsecure items. Do you want to see the nonsecure items? IE7 renders only the secure content and offers the user the opportunity to unblock the nonsecure content using the Information Bar. This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page.
|
17:00 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
An Assessment of the Oracle Password Hashing Algortihm. Oracle utilitza un mecanisme de xifrat de les contrasenyes emmagatzemades a la taula SYS.USER$ que s'ha demostrat força feble. Un nou exemple de com, en criptografia, la no publicació dels algoritmes utilitzats no és sinònim de qualitat.
Passwords for local user accounts in Oracle databases are stored as 8-byte password hashes in the Oracle SYS.USER$ table using an undocumented hashing algorithm. We have however identified several weaknesses associated with its password handling method, which significantly weakens the protection offered by password-based authentication mechanisms. These weaknesses include:
- Weak password salt selection;
- Lack of alphabetic case preservation;
- Weak hashing algorithm.
By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plaintext password from the password hash for a known user. In the following sections we review the weaknesses associated with this mechanism, and identify potential attack vectors that can be exploited by an adversary.
Algunes de les coses divertides que fa Oracle es convertir les contrasenyes a majúscules i associar el hash de la contrasenya al nom del compte de l'usuari.
|
12:05 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
© Copyright 2003-2005 Xavier Caballe.  . Si no s'indica expressament el contrari, el material publicat en aquest weblog es distribueix d'acord amb la llicència Creative Commons. El contingut és responsabilitat única i exclusivament del seu autor i no té cap relació amb les seves activitats professionals.
|
 |
 |
 |
 |
Contingut actualitzat
Categories
Darrers comentaris
Arxiu
Contingut antic
(ja no s'actualitza)
Versions anteriors
d'aquesta pàgina
|
 |
 |
 |
 |
|
