Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability

From: jkohl (jkohlat_private)
Date: Fri Jun 08 2001 - 13:03:37 PDT

Next message: Peter van Dijk: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"

Previous message: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Maybe in reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Peter van Dijk: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian <peterat_private>
wrote.
>Problem:
>
>While crypt password authentication is not in and of itself very secure,
>Network Sulotions have made it even less so by including the first two
>characters of the password as the salt of the encrypted form.  While the
>password is transmitted via a secure session, the encrypted form is
>returned almost immediately in a non-encrypted www session.  Also, this
>password is typically emailed back and forth to the user no less than two
>times (and often times more).  This allows several opportunities for
>someone to observe the encrypted password, this in and of itself is not
>good.

<snip>

Peter, great call, I was actually going to post about this myself, but
wasn't sure if this list was the right place for the NS web-based stuff.

There are some additional concerns about their Crypt-PW solution, (which
I've mentioned to them, and they've not done anything about it)...

1) Even though Crypt-PW is supposedly a replacement for MAIL-TO, you still
must have a valid email address to use Crypt-PW...so what IS the point of
having Crypt-PW?  (Especially as it's not secure)

2)  If you do NOT have a valid email address (i.e. dropped account, ect) NS
emails the completed forms (with the entire Auth password) to the address
anyway.  If, especially in the case of some ISPs, they have 'reused' the
login after an extended amount of time, they've just emailed someone else
your encrypted password for your domain.  If not, it's going to go into the
admin no-relay logs, leaving it open to abuse by someone with access to the
mail host.  And, not to leave out Peter's mention of the fact that they are
sending the cleartext mail (with the password) where anyone can view it.

Workarounds...do NOT use Crypt-PW as an authentication, and insure that you
change your domain records *before* losing the account, as Crypt-PW will not
allow you to access or change records if you do not still own the email
address.

Cheers!

Jan Kohl

Next message: Peter van Dijk: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Previous message: Peter Ajamian: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Maybe in reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Peter van Dijk: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 16:07:08 PDT