RE: MS to stop allowing passwords in URLs

From: Richard M. Smith (rms_at_computerbytesman.com)
Date: 02/03/04

  • Next message: Peter Winter-Smith: "Web Crossing 4.x/5.x Denial of Service Vulnerability"
    To: "'McAllister, Andrew'" <McAllisterA@umsystem.edu>, <bugtraq@securityfocus.com>
    Date: Tue, 3 Feb 2004 07:54:22 -0800
    
    

    >>> Anyone have any comments regarding legitimate
    >>> uses of this syntax and Microsoft removing it
    >>> from their browser? (and presumably the OS since
    >>> the browser IS the OS).

    It always was a bad idea to put plaintext passwords in URLs because it
    encouraged users to give away passwords in links on public Web pages. The
    spoofing games were the second big problem with them that showed up later.
    Glad to see Microsoft getting rid of the feature.

    Richard


  • Next message: Peter Winter-Smith: "Web Crossing 4.x/5.x Denial of Service Vulnerability"