Interestingly, I've already found that this patch doesn't fix this problem
when using IE as an object in VB6. You can still programmatically call an
instance of IE as a browser object and use that format to login to a web site.
At 05:54 PM 1/28/2004, McAllister, Andrew wrote:
>I just read that Microsoft will stop allowing IDs and passwords to be
>embedded in URLs used by Internet Explorer. So you will no longer be
>able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/
>
>See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
>
>Their reasoning is that this will mitigate status bar spoofing as has
>recently been discussed here and in other forums. The article even goes
>so far as to admit that recent versions of IE show only the URL before
>the @ sign while older versions do not.
>
>Apparently MS has decided that this RFC URL syntax is simply too
>dangerous to allow in their products.
>
>Their suggested workarounds include among others:
> 1) Having users click the "Remember my password" checkbox in IE.
> 2) Using cookies.
>
>I personally use this syntax in only one production application, BBTray
>- a windows tray applet that watches my bigbrother monitoring server.
>Click the applet and it opens a browser window with the
>id:passowrd (at) server (dot) com [email concealed] syntax. The ID and password is specific to our
>bigbrother application, my workstation sits behind two firewalls and I
>am the only admin on the box. So, I consider this use to be legit and
>relatively safe given the convenience it provides.
>
>I certainly don't consider the "remember my password" functionality nor
>stored cookies any more or less safe than this syntax.
>
>Anyone have any comments regarding legitimate uses of this syntax and
>Microsoft removing it from their browser? (and presumably the OS since
>the browser IS the OS).
>
>Andrew McAllister
>University of Missouri
when using IE as an object in VB6. You can still programmatically call an
instance of IE as a browser object and use that format to login to a web site.
At 05:54 PM 1/28/2004, McAllister, Andrew wrote:
>I just read that Microsoft will stop allowing IDs and passwords to be
>embedded in URLs used by Internet Explorer. So you will no longer be
>able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/
>
>See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
>
>Their reasoning is that this will mitigate status bar spoofing as has
>recently been discussed here and in other forums. The article even goes
>so far as to admit that recent versions of IE show only the URL before
>the @ sign while older versions do not.
>
>Apparently MS has decided that this RFC URL syntax is simply too
>dangerous to allow in their products.
>
>Their suggested workarounds include among others:
> 1) Having users click the "Remember my password" checkbox in IE.
> 2) Using cookies.
>
>I personally use this syntax in only one production application, BBTray
>- a windows tray applet that watches my bigbrother monitoring server.
>Click the applet and it opens a browser window with the
>id:passowrd (at) server (dot) com [email concealed] syntax. The ID and password is specific to our
>bigbrother application, my workstation sits behind two firewalls and I
>am the only admin on the box. So, I consider this use to be legit and
>relatively safe given the convenience it provides.
>
>I certainly don't consider the "remember my password" functionality nor
>stored cookies any more or less safe than this syntax.
>
>Anyone have any comments regarding legitimate uses of this syntax and
>Microsoft removing it from their browser? (and presumably the OS since
>the browser IS the OS).
>
>Andrew McAllister
>University of Missouri
Vinny Abello
Network Engineer
Server Management
vinny (at) tellurian (dot) com [email concealed]
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and
those that don't.
[ reply ]