Bugtraq mailing list archives
Re: MS to stop allowing passwords in URLs
From: "Dave Warren" <dave.warren () devilsplayground net>
Date: Mon, 2 Feb 2004 21:01:45 -0700
McAllister, Andrew wrote:
I certainly don't consider the "remember my password" functionality nor stored cookies any more or less safe than this syntax. Anyone have any comments regarding legitimate uses of this syntax and Microsoft removing it from their browser? (and presumably the OS since the browser IS the OS).
The safety concerns of http://user:pass@www aren't technical, they're user/training issues.. How do you explain to your grandmother that http://www.herbank.com:login.asp () session-arhuz ru/ isn't safe but http://www.herbank.com/login.asp?arhuz.ru/ is okay? The solution, in my opinion, would be to come up with a new notation that doesn't break existing RFCs, but that still places the hostname first. Something like http://www#user:password/path/file.cgi would be safer for the common user, all they'd have to look at would be the first thing they see after the http:// to determine if it is trusted. Unfortunately, the next step will be http://www.herbank.com.naughty-phish-scheme.com/ where naughty-phish-scheme is something less suspicious. Then we'll be right back to where we started, and we'd still have broken or lost valuable functionality. It's probably too late, but rather then removing user:password support altogether, maybe Microsoft could replace it with a dialog that informs the user they are about to visit "session-arhuz.ru" with the username "www.herbank.com", and an appropriate warning about not revealing sensitive information, blahblahblah? -- Dave Warren, Email Address: dave.warren () devilsplayground net Cell: (403) 371-3470 Fax: (403) 371-3471 Toll free: (888) 371-3470 Vonage: (817) 886-0860 ICQ: 17848192 AIM: devilspgd Yahoo!: devilspgd MSN/PASSPORT: dave.warren () devilsplayground net
Current thread:
- MS to stop allowing passwords in URLs McAllister, Andrew (Feb 02)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)