WS-Security and hashed password stores

Scott Watermasysk asks how he should deal with password validation for UsernameTokens with WS-Security if he has stored his passwords salted and hashed. This is something I’ve had some discussions about recently with people in the web services product team. Fundamentally there is no silver bullet that answers this question. The hashed option for the…

HTTP protocol violation errors in .NET 1.1 SP1

Dare Obasanjo posts about a change in .NET 1.1 SP1 that can result in errors in RSS Bandit. SP1 introduces new stricter parsing for the headers stored in a WebHeaderCollection. This was added as a security precaution and is of particular importance on servers. For example, Sanctum recently published a paper describing potential attacks on…