Re: MS to stop allowing passwords in URLs

• Previous message: Seth Arnold: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
• In reply to: Dave Warren: "Re: MS to stop allowing passwords in URLs"
• Next in thread: Vinny Abello: "Re: MS to stop allowing passwords in URLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 06 Feb 2004 17:01:20 +1300
To: bugtraq@securityfocus.com

"Dave Warren" <dave.warren@devilsplayground.net> wrote:

<<big snip>>
> It's probably too late, but rather then removing user:password support
> altogether, maybe Microsoft could replace it with a dialog that informs the
> user they are about to visit "session-arhuz.ru" with the username
> "www.herbank.com", and an appropriate warning about not revealing sensitive
> information, blahblahblah?

Yeah, just like the "The doument you are opening contains macros or
customizations. Some macros may contain viruses that could harm your
computer. [...]" warnings prevented Word macro viruses...

A user naïve enough to click on such a link does, in some important
sense, _want_ to visit that page. Your suggested warning is just
another thing that such users see as "getting in the way of doing what
I want to do". Therefore, if implemented it would become more part of
the problem than the solution (as users will become ever more familiar
with ignoring "warnings" and clicking through them). If you understand
users, you will know that in helping them to not shoot themselves in
the feet, the only useful appraoch is to remove everything capable of
firing the bullets (and quite a few things beside!)...

On the Word macro virus front, things got notably better _NOT_ when MS
implemented the above warning (that the users could blithely ignore and
even _disable_ right there on the warning dialog -- what a travesty of
mis-design that was!) but when it released a version of Word that
defaulted to not running macros unless they were signed with an
acceptable (as configured by the user/admin) key (there are legion
flaws in the design of this feature, but it was strong enough to
significantly impact the Word macro virus problem). In IE, removing
support for this mis-feature (read RFC 2616) will have a much greater
impact than trying to "direct" users who don't want to be directed with
"warnings" and other stuff that "gets in their way".

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

• Previous message: Seth Arnold: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
• In reply to: Dave Warren: "Re: MS to stop allowing passwords in URLs"
• Next in thread: Vinny Abello: "Re: MS to stop allowing passwords in URLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]