It was demonstrated to me recently that if one used "NT" authentication with a non-IE browser one's NT password was available to the writer of the ASP script. Encryption between the browser and server is inmaterial. The password has already been decrypted. If one used IE then credentials rather than passwords are sent. If harvesting passwords is available with IIS, why can it not be done with 9iAS?
Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: MacGregor, Ian A. INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
