On Wed, 11 Sep 2002, Jamie McCarthy wrote: > ...you were impatient, I guess. But the explanation is simple. Yes, indeed, as several people already pointed out. But what's the reason for having such an insecure solution? It's fairly easy to implement it in many other ways. For example, following the link in the future could cause automatic redirect to a "clean" URL and giving the user a temporary cookie or such. > You can automatically log in by clicking _This Link_ and > Bookmarking the resulting page. This is totally insecure, > but very convenient. It's insecure without a good reason, I think, plus, it does not explain why. Many people may be under the impression that having a plaintext password in their bookmarks is the problem, and are not aware they are giving out their credentials to the outside world. Regards, -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
