It was demonstrated to me recently that if one used "NT" authentication with a non-IE browser one's NT password was available to the writer of the ASP script. Encryption between the browser and server is inmaterial. The password has already been decrypted. If one used IE then credentials rather than passwords are sent. If harvesting passwords is available with IIS, why can it not be done with 9iAS?
Ian MacGregor
Stanford Linear Accelerator Center
ian_at_SLAC.Stanford.edu
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: MacGregor, Ian A.
INET: ian_at_SLAC.Stanford.EDU
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Thu Jan 16 2003 - 06:53:54 CST
