Bugtraq mailing list archives
RE: MS to stop allowing passwords in URLs
From: "Fergus Brooks" <fergusb () evolve-online com>
Date: Tue, 3 Feb 2004 09:58:10 +0800
Andrew - I agree entirely about "Remember my password" and cookies being no safer. Password saving on shared machines is a nightmare - especially as machines built with XP by default allow you to have a passwordless generic login to the machine. Seeing some of the passwords that come up on machines in cafes etc makes me understand why there is so much shared-machine related fraud and misuse of people's webmail accounts. Also I have found that often to get to an FTP server on the Internet (depending on the proxy, connection, firewall etc) that you need to use this format. Taking this functionality away will certainly make it harder for a lot of support people and consultants to do their jobs. Back to having *every imaginable tool* in the CD case when visiting client sites. Or maybe we should just starting putting all our good stuff up on anonymous FTP sites? Rgds... -----Original Message----- From: McAllister, Andrew [mailto:McAllisterA () umsystem edu] Sent: Thursday, 29 January 2004 6:54 AM To: bugtraq () securityfocus com Subject: MS to stop allowing passwords in URLs I just read that Microsoft will stop allowing IDs and passwords to be embedded in URLs used by Internet Explorer. So you will no longer be able to use a URL like https://user:password () www somehost com/ See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 Their reasoning is that this will mitigate status bar spoofing as has recently been discussed here and in other forums. The article even goes so far as to admit that recent versions of IE show only the URL before the @ sign while older versions do not. Apparently MS has decided that this RFC URL syntax is simply too dangerous to allow in their products. Their suggested workarounds include among others: 1) Having users click the "Remember my password" checkbox in IE. 2) Using cookies. I personally use this syntax in only one production application, BBTray - a windows tray applet that watches my bigbrother monitoring server. Click the applet and it opens a browser window with the id:passowrd () server com syntax. The ID and password is specific to our bigbrother application, my workstation sits behind two firewalls and I am the only admin on the box. So, I consider this use to be legit and relatively safe given the convenience it provides. I certainly don't consider the "remember my password" functionality nor stored cookies any more or less safe than this syntax. Anyone have any comments regarding legitimate uses of this syntax and Microsoft removing it from their browser? (and presumably the OS since the browser IS the OS). Andrew McAllister University of Missouri -- This message has been scanned by AVMail
Current thread:
- MS to stop allowing passwords in URLs McAllister, Andrew (Feb 02)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)