Open Bug 1096827 Opened 10 years ago Updated 10 years ago

goneo.de - downgrade auth meth

Categories

(Webtools :: ISPDB Database Entries, defect)

defect
Not set
normal

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: th, Unassigned)

Details

Attachments

(1 file)

Attached file config-v1.1.xml
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141106120505 Steps to reproduce: I just created a new configuration file (config-v1.1.xml) for the customers of the goneo Internet GmbH in germany. Actual results: We´ve made some internal changes, and so we´ve to make some changes in the configuration file. We´ve tested this file on seperate local machines, and everything works fine. Expected results: Please update this file in your ISP Database. Thanks in advance
As mentioned per email, we don't do downgrades of security. Particularly, because all existing users keep the old configuration, it will not be automatically migrated, and they will all see a warning about a possible attack. Once you publish a setting, you will have to support it forever. Esp. you can't do downgrades, because Intended downgrades look the same as a downgrade attacks and phishing attempts, and we need to prevent those.
Not sure whether this was clear, but even if we fix the config here, all existing users still have the problem. Therefore, this is not the right place to fix. You need to fix your servers to continue to accept encrypted passwords.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: