good chemistry is complicated,
and a little bit messy -LW
Re: Essential CGI Security Practicesby belg4mit (Prior)
|on Feb 02, 2002 at 22:34 UTC||Need Help??|
I'm not sure about that Error Messages,
or at least the example. I know I always
find it incredibly frustrating to get
meaningless fluff back as error messages
from a website. If the error has some
meat to it I might be able to remedy the
thing myself by altering the form data
or hand-parsing the URL.
Simply saying "Invalid Login" doesn't buy you any securty if you're sending in the clear over the wire, so why make it harder on the user? There are other ways of handling brute-force attacks that you are expressing worry about here (think escalating delays for failures).
On the other hand, if you are truly paranoid minimizing the information you betray about your system is probably a good thing e.g. paths, server information (HTTP headers, etc.) (unfortunately?) that means no "Powered by Apache" feathers either ;-)
As for %ENV I stand by "Re: perlsec question".