|
|
BugTraq
MS to stop allowing passwords in URLs Jan 28 2004 10:54PM McAllister, Andrew (McAllisterA umsystem edu) (10 replies) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:12PM Nick FitzGerald (nick virus-l demon co uk) RE: MS to stop allowing passwords in URLs Feb 03 2004 03:54PM Richard M. Smith (rms computerbytesman com) RE: MS to stop allowing passwords in URLs Feb 03 2004 02:26PM Andrew Harwood (aaharwood_maillist bigpond com) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:32AM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) Re: MS to stop allowing passwords in URLs Feb 03 2004 04:01AM Dave Warren (dave warren devilsplayground net) (3 replies) Re: MS to stop allowing passwords in URLs Feb 06 2004 04:01AM Nick FitzGerald (nick virus-l demon co uk) Re: MS to stop allowing passwords in URLs Feb 03 2004 06:09PM David B Harris (dbharris eelf ddts net) RE: MS to stop allowing passwords in URLs Feb 03 2004 01:58AM Fergus Brooks (fergusb evolve-online com) (1 replies) |
|
Privacy Statement |
> I just read that Microsoft will stop allowing IDs and passwords to be
> embedded in URLs used by Internet Explorer. So you will no longer be
> able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/
>
> See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
>
> Their reasoning is that this will mitigate status bar spoofing as has
> recently been discussed here and in other forums. The article even goes
> so far as to admit that recent versions of IE show only the URL before
> the @ sign while older versions do not.
>
> Apparently MS has decided that this RFC URL syntax is simply too
> dangerous to allow in their products.
>
> Their suggested workarounds include among others:
> 1) Having users click the "Remember my password" checkbox in IE.
> 2) Using cookies.
>
> I personally use this syntax in only one production application, BBTray
> - a windows tray applet that watches my bigbrother monitoring server.
> Click the applet and it opens a browser window with the
> id:passowrd (at) server (dot) com [email concealed] syntax. The ID and password is specific to our
> bigbrother application, my workstation sits behind two firewalls and I
> am the only admin on the box. So, I consider this use to be legit and
> relatively safe given the convenience it provides.
>
> I certainly don't consider the "remember my password" functionality nor
> stored cookies any more or less safe than this syntax.
>
> Anyone have any comments regarding legitimate uses of this syntax and
> Microsoft removing it from their browser? (and presumably the OS since
> the browser IS the OS).
>
> Andrew McAllister
> University of Missouri
>
Despite what MS's notice says, presumably the primary motive for this
was to avoid the URL spoofing detailed here
(http://www.microsoft.com/technet/treeview/?url=/technet/security/bullet
in/MS04-004.asp).
In fact, that webpage specifically states that it is to fix ``three
newly-discovered vulnerabilities'' (``newly=discovered'' apparently
being a relative term), including ``a misrepresentation of the URL in
the address bar of an Internet Explorer window''.
So the security reasons they cite on the page you link to probably
aren't that they consider that syntax to be insecure relative to cookies
or ``Remember My Password'', but that the best way to avoid URL spoofing
they could come up with (after, apparently, months of effort) was to
eliminate the feature alltogether.
I can think of another great way to fix the vulnerabilities in Windows.
It's called fdisk.
Hope that helps!
[ reply ]