Open
Bug 1096827
Opened 10 years ago
Updated 10 years ago
goneo.de - downgrade auth meth
Categories
(Webtools :: ISPDB Database Entries, defect)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: th, Unassigned)
Details
Attachments
(1 file)
1.60 KB,
text/xml
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141106120505
Steps to reproduce:
I just created a new configuration file (config-v1.1.xml) for the customers of the goneo Internet GmbH in germany.
Actual results:
We´ve made some internal changes, and so we´ve to make some changes in the configuration file. We´ve tested this file on seperate local machines, and everything works fine.
Expected results:
Please update this file in your ISP Database. Thanks in advance
Comment 1•10 years ago
|
||
As mentioned per email, we don't do downgrades of security.
Particularly, because all existing users keep the old configuration, it will not be automatically migrated, and they will all see a warning about a possible attack. Once you publish a setting, you will have to support it forever. Esp. you can't do downgrades, because
Intended downgrades look the same as a downgrade attacks and phishing attempts, and we need to prevent those.
Comment 2•10 years ago
|
||
Not sure whether this was clear, but even if we fix the config here, all existing users still have the problem. Therefore, this is not the right place to fix. You need to fix your servers to continue to accept encrypted passwords.
You need to log in
before you can comment on or make changes to this bug.
Description
•