MSIE and auth. realms

[Marc Slemko <ma...@worldgate.com>]

Someone in a post to a newsgroup said that MSIE would treat two servers on
different ports on the same host as being the same server, ie. cached auth
for a realm on a server on one port will be sent to a server on another
port requesting that auth.

Combine that with a public (eg. University) system and IE caching
passwords on disk, and you come up with auth being useless.

Is what they said true, or are they doing something wrong like having both
saved to disk but not realizing it?

Re: MSIE and auth. realms

[Dirk-Willem van Gulik <di...@jrc.it>]

On Tue, 10 Mar 1998, Marc Slemko wrote:

> And people have trouble understanding why I often think the weakest link
> in Internet commerce (aside from the user) is the user's software.  Sigh.
 
> That is very broken.  What it means is that any hostname that requires
> private auth can't allow any users on it to run anything, period.  Sheesh.
> Yea, you still have to get the clients to go to your page to steal it, but
> that can be easy.
 
Ah well, combined with a bit of samba code you can suck empty their
password caches anway. But no seriously; we found that explitly setting
different realms works fine. Make sure they are different in the first few
chars.  (But if you switch on printing of the user/pwd combo IE passes
voluntarily (i.e. not problemt by an AuthReq) then you might be surprized
sometimes. I found that usefull for tracking down the problems.) 
Dw. 

Re: MSIE and auth. realms

[Marc Slemko <ma...@worldgate.com>]

On Tue, 10 Mar 1998, Dirk-Willem van Gulik wrote:

> 
> 
> On Mon, 9 Mar 1998, Marc Slemko wrote:
> 
> > Someone in a post to a newsgroup said that MSIE would treat two servers on
> > different ports on the same host as being the same server, ie. cached auth
> > for a realm on a server on one port will be sent to a server on another
> > port requesting that auth.
> > 
> > Combine that with a public (eg. University) system and IE caching
> > passwords on disk, and you come up with auth being useless.
> 
> No is true; and some v3's also treat a realm "" as matching any realm and
> thus hand out passwords left, right and center. We ran in this recently
> with some schools expected to having old equipment and where forced to
> skip the vhosts and use different IP addresses. (Of course three weeks
> later they went to netscape.. :-( ) 

And people have trouble understanding why I often think the weakest link
in Internet commerce (aside from the user) is the user's software.  Sigh.

That is very broken.  What it means is that any hostname that requires
private auth can't allow any users on it to run anything, period.  Sheesh.
Yea, you still have to get the clients to go to your page to steal it, but
that can be easy.

Re: MSIE and auth. realms

[Dirk-Willem van Gulik <di...@jrc.it>]

On Mon, 9 Mar 1998, Marc Slemko wrote:

> Someone in a post to a newsgroup said that MSIE would treat two servers on
> different ports on the same host as being the same server, ie. cached auth
> for a realm on a server on one port will be sent to a server on another
> port requesting that auth.
> 
> Combine that with a public (eg. University) system and IE caching
> passwords on disk, and you come up with auth being useless.

No is true; and some v3's also treat a realm "" as matching any realm and
thus hand out passwords left, right and center. We ran in this recently
with some schools expected to having old equipment and where forced to
skip the vhosts and use different IP addresses. (Of course three weeks
later they went to netscape.. :-( ) 

Dw.