I understand that the "correct" message is another, but I do not see why it has to amend the current when the change is more vulnerable end up leaving the system. To me what should be discussed now is not whether to put the correct message or not (because that is "correct "), you should discuss whether to allow changes made in some way, compromise security.
On 13/03/2011, Rohit Sethi <rkli...@gmail.com> wrote: > To summarize - if I understand correctly the only way a more specific > error message can result in a problem is the following scenario: > 1) An attacker correctly guesses credentials for a user on the admin > site > 2) The attacker does not try to authenticate with the same credentials > on the regular site > > The attacker is able to determine that the credentials are correct AND > the user is *not* an administrator. This is only a risk if #2 holds, > which leads to me believe it's a very low risk scenario. You could > argue there's some incremental security benefit in withholding > information, but I'm not sure it justifies the hit to usability. > > My primary job is to help prevent security vulnerabilities, but I'd > still say +1 for giving a more specific message in this context. > > On Mar 13, 10:41 am, TiNo <tin...@gmail.com> wrote: >> +1 for giving a correct message. It has bitten me more than once, and I >> really don't think it would make any attack harder. >> >> The information you would give is the same information that can be >> acquired >> by logging in to the main site first, and then trying to log in to the >> admin >> site. So at the moment we are trying to obscure something that isn't >> obscure >> now either... >> >> >> >> >> >> >> >> On Sat, Mar 12, 2011 at 13:35, Peter <pjrhar...@gmail.com> wrote: >> > I think some people seem to be confused about what is being asked for. >> >> > I think the suggestion is that you should get this new "not an admin >> > account" message iff >> > the provided username _and_ password are correct. If you don't have >> > permission, but >> > provide an incorrect password, then you still get the old message. >> >> > That way, you can only gain more information than with the current >> > system when you have >> > both a username and correct password. If an attacker has that >> > information, then frankly, >> > it's too late to be thinking about how to make things more secure. >> >> > Regards, >> >> > Peter >> >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Django developers" group. >> > To post to this group, send email to django-developers@googlegroups.com. >> > To unsubscribe from this group, send email to >> > django-developers+unsubscr...@googlegroups.com. >> > For more options, visit this group at >> >http://groups.google.com/group/django-developers?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- :: juanpex -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
