Bugtraq mailing list archives
RE: MS to stop allowing passwords in URLs
From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Wed, 4 Feb 2004 09:44:36 -0600
-----Original Message----- From: David B Harris [mailto:dbharris () eelf ddts net]
Or, hey, a different on-screen representation? Something like, I dunno, "http://user:pass@site/" being turned into "http://site/ (user: user, password: pass)"?
IMO, even this doesn't go far enough. We need to eliminate the use of URLs as authenticators entirely. Sites are popping up all over the place with *legitimate* hostnames confusingly similar to real ones. Getting tricky with URL encoding is only part of the problem. Users need to start *expecting* to see an SSL- or TLS-validated identity before they trust that they're seeing content from someone they think they are. You wouldn't walk into a store front with "Micro Soft" scrawled in crayon and reasonably expect to receive legitimate Microsoft products in return for your cash, but this is what people are falling victim to every day on the web. Every non-authenticated web page needs to be treated as unauthenticated, and browsers should make this clear up front. Users need to understand that when they are interacting with a web page at "example.com", they're only PROBABLY interacting with the "example.com" Internet domain. Instead, they believe they ARE interacting (in a trustworthy fashion) with "Example Widgets", even though there's no trusted relationship between "Example Widgets" and example.com they can see, other than example.com saying they are. Eliminate a user's dependence upon the URL as an authenticator (and a search engine, for that matter, guessing "www.<search term>.com"), and you eliminate the bulk of the problem here. People can do all of the stupid encoding tricks they want at that point and it won't matter, since the URL becomes almost entirely a machine-usable piece of data anyway, and the computer isn't easily deceived by such tricks. David
Current thread:
- RE: MS to stop allowing passwords in URLs, (continued)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)
- Message not available
- Re: MS to stop allowing passwords in URLs Paul Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Richard M. Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Francis Favorini (Feb 03)
- RE: MS to stop allowing passwords in URLs Thor Larholm (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 05)
- RE: MS to stop allowing passwords in URLs NESTING, DAVID M (SBCSI) (Feb 05)