|
|
BugTraq
MS to stop allowing passwords in URLs Jan 28 2004 10:54PM McAllister, Andrew (McAllisterA umsystem edu) (10 replies) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:12PM Nick FitzGerald (nick virus-l demon co uk) RE: MS to stop allowing passwords in URLs Feb 03 2004 03:54PM Richard M. Smith (rms computerbytesman com) RE: MS to stop allowing passwords in URLs Feb 03 2004 02:26PM Andrew Harwood (aaharwood_maillist bigpond com) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:32AM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) Re: MS to stop allowing passwords in URLs Feb 03 2004 04:01AM Dave Warren (dave warren devilsplayground net) (3 replies) Re: MS to stop allowing passwords in URLs Feb 06 2004 04:01AM Nick FitzGerald (nick virus-l demon co uk) Re: MS to stop allowing passwords in URLs Feb 03 2004 06:09PM David B Harris (dbharris eelf ddts net) |
|
Privacy Statement |
Andrew - I agree entirely about "Remember my password" and cookies being
no safer. Password saving on shared machines is a nightmare - especially
as machines built with XP by default allow you to have a passwordless
generic login to the machine.
Seeing some of the passwords that come up on machines in cafes etc makes
me understand why there is so much shared-machine related fraud and
misuse of people's webmail accounts.
Also I have found that often to get to an FTP server on the Internet
(depending on the proxy, connection, firewall etc) that you need to use
this format. Taking this functionality away will certainly make it
harder for a lot of support people and consultants to do their jobs.
Back to having *every imaginable tool* in the CD case when visiting
client sites. Or maybe we should just starting putting all our good
stuff up on anonymous FTP sites?
Rgds...
-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA (at) umsystem (dot) edu [email concealed]]
Sent: Thursday, 29 January 2004 6:54 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: MS to stop allowing passwords in URLs
I just read that Microsoft will stop allowing IDs and passwords to be
embedded in URLs used by Internet Explorer. So you will no longer be
able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/
See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
Their reasoning is that this will mitigate status bar spoofing as has
recently been discussed here and in other forums. The article even goes
so far as to admit that recent versions of IE show only the URL before
the @ sign while older versions do not.
Apparently MS has decided that this RFC URL syntax is simply too
dangerous to allow in their products.
Their suggested workarounds include among others:
1) Having users click the "Remember my password" checkbox in IE.
2) Using cookies.
I personally use this syntax in only one production application, BBTray
- a windows tray applet that watches my bigbrother monitoring server.
Click the applet and it opens a browser window with the
id:passowrd (at) server (dot) com [email concealed] syntax. The ID and password is specific to our
bigbrother application, my workstation sits behind two firewalls and I
am the only admin on the box. So, I consider this use to be legit and
relatively safe given the convenience it provides.
I certainly don't consider the "remember my password" functionality nor
stored cookies any more or less safe than this syntax.
Anyone have any comments regarding legitimate uses of this syntax and
Microsoft removing it from their browser? (and presumably the OS since
the browser IS the OS).
Andrew McAllister
University of Missouri
--
This message has been scanned by AVMail
[ reply ]