MS to stop allowing passwords in URLs

From: McAllister, Andrew (McAllisterA_at_umsystem.edu)
Date: 01/28/04

  • Next message: Pavel Levshin: "Re: RFC: virus handling" 
    Date: Wed, 28 Jan 2004 16:54:00 -0600
To: <bugtraq@securityfocus.com>

    I just read that Microsoft will stop allowing IDs and passwords to be
    embedded in URLs used by Internet Explorer. So you will no longer be
    able to use a URL like https://user:password@www.somehost.com/

    See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

    Their reasoning is that this will mitigate status bar spoofing as has
    recently been discussed here and in other forums. The article even goes
    so far as to admit that recent versions of IE show only the URL before
    the @ sign while older versions do not.

    Apparently MS has decided that this RFC URL syntax is simply too
    dangerous to allow in their products.

    Their suggested workarounds include among others:
      1) Having users click the "Remember my password" checkbox in IE.
      2) Using cookies.

    I personally use this syntax in only one production application, BBTray
    - a windows tray applet that watches my bigbrother monitoring server.
    Click the applet and it opens a browser window with the
    id:passowrd@server.com syntax. The ID and password is specific to our
    bigbrother application, my workstation sits behind two firewalls and I
    am the only admin on the box. So, I consider this use to be legit and
    relatively safe given the convenience it provides.

    I certainly don't consider the "remember my password" functionality nor
    stored cookies any more or less safe than this syntax.

    Anyone have any comments regarding legitimate uses of this syntax and
    Microsoft removing it from their browser? (and presumably the OS since
    the browser IS the OS).

    Andrew McAllister
    University of Missouri

  • Next message: Pavel Levshin: "Re: RFC: virus handling"
    • Quantcast