|
|
BugTraq
MS to stop allowing passwords in URLs Jan 28 2004 10:54PM McAllister, Andrew (McAllisterA umsystem edu) (10 replies) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:12PM Nick FitzGerald (nick virus-l demon co uk) RE: MS to stop allowing passwords in URLs Feb 03 2004 03:54PM Richard M. Smith (rms computerbytesman com) RE: MS to stop allowing passwords in URLs Feb 03 2004 02:26PM Andrew Harwood (aaharwood_maillist bigpond com) Re: MS to stop allowing passwords in URLs Feb 03 2004 10:32AM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) Re: MS to stop allowing passwords in URLs Feb 03 2004 04:01AM Dave Warren (dave warren devilsplayground net) (3 replies) Re: MS to stop allowing passwords in URLs Feb 06 2004 04:01AM Nick FitzGerald (nick virus-l demon co uk) Re: MS to stop allowing passwords in URLs Feb 03 2004 06:09PM David B Harris (dbharris eelf ddts net) RE: MS to stop allowing passwords in URLs Feb 03 2004 01:58AM Fergus Brooks (fergusb evolve-online com) (1 replies) |
|
Privacy Statement |
You said:
<I just read that Microsoft will stop allowing IDs and passwords to be
<embedded in URLs used by Internet Explorer. So you will no longer be
<able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/
I wanted to point out the option to make a reg key change that will
maintain the user@ functionality instead of utilizing the new default
behavior that occurs by applying the patch.
<snipped from MS article>
How to disable the new default behavior for handling user information in
HTTP or HTTPS URLs To disable the new default behavior in Windows Explorer
and Internet Explorer, create iexplore.exe and explorer.exe DWORD values
in one of the following registry keys and set their value data to 0:
For all users:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
For the current user only:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Overall, I think that MS is doing the right thing with this. I cannot
count how many html email's I've received that are supposedly from PayPal,
or Visa or <insert your favorite finacial organization here> wherein a
kiddie wannabe with minimal english skills asks "please verafy your
accoont information". That information is piped to a cgi on a hacked box
somewhere that snarfs the info then redirects you to the real site that is
supposedly asking for the info.
*yawn*
I guarantee that there are people out there (although probably not on this
list) that have swallowed the bait and forwarded their credit card #, SSN
#, all their pin numbers to every bank account they own as well as their
grandmothers bra size because they were presented with an official looking
html email that asked for the info. Why else do so many of these types of
con jobs flood the net?
This is getting to be as bad as the Nigerian email scam. You know the one
that starts out, "Dear Sir, <insert impressive title of some 3rd world
country here> left me 10 million dollars and I need your help."
Overall I think it's the right thing to do and I'm glad that MS is doing
it.
just my .02 so please, flames > /dev/null
Regards,
Dave McCormick
dave (at) fred.net_nospam (dot) com [email concealed]
mccormic (at) xecu.net_nospam (dot) com [email concealed]
"Kool-Aid anyone?" - Bill Gates
[ reply ]