Re: URL coding : ftp passwords in clear!

From: Gregory Maxwell <>
Date: Wed, 9 Jul 1997 08:20:39 -0400 (EDT)

On Wed, 9 Jul 1997, Francis Mouthaud wrote:

> I hope that squid Squid will be smarter very soon because it is a real
> security problem.

 I hope people who make reviews like this will be smarter very soon
because it is a real security problem.

 The only people who should EVER have access to squid logs are people who
would have access to sniff the network, furthermore, those logs to be
rotated and sanitized daily.

 Also, FTP passwords are always 'in the clear', at least on the wire. If
some stupid browser displays them (Hasn't it always before this?) it isn't
a squid probled. It isn't like squid is displaying it. As for Netscape
displaying it, big whoop, It's a minor bug.. They happen..

" * No problem from the client side. The reported issue exposes the
      password to the user and the Proxy server operator only. A hacker
      would have to separately attempt to break into the user's computer
          to try and steal the information. User information cannot be
    taken by exploiting reported privacy bug because it has been fixed."

See, even they think it's not a security concern.. If a 'hacker' has
access to the history file, or the access logs, then there are bigger
problems to worry about...

Obsecurity != Security. There is nothing secure about Telnet, HTTP, or
FTP, provided you have a hacker with access to your local computer or your
network. I really wish people would understand this. If you want security
try HTTPS, SSL, and SSH. If there is a bug in one of those: Then you can
through a fit. Otherwise, politly report the problem to the approiate
place and relax, your security isn't being comprimised. FTP had no
security to begin with.

                                                Gregory Maxwell
Received on Wed Jul 09 1997 - 06:23:07 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:42 MST