Hi !
Regarding the "URL coding: ftp passwords in clear" thread; there is
something more to be said.
The passwords are shown in clear also in the "Filedescriptor Usage"
section of the cachemgr.cgi script ! And this one was personally verified
by me on one of the nlanr.net hosts...
Also be aware that http requests with 'password clear URLs' (like
http://user@pass:host/) are also displayed in clear text...
One good solution for this, if found annoying, is to either strip or
modify the in text password, like wget does:
'ftp://u@p:host/' becomes 'ftp://u@xxxxxxxx:host/'
So we get both side benefits: the users are secured from hacker attacks
and the admin's have their 'warez' proofs [should there be an squid.conf
option to make logs store the passwords in clear text ?].
Hope this will help rather then inflame ya ... :)
Ady (@warp.starnets.ro)
Received on Thu Jul 10 1997 - 01:09:11 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:43 MST