Microsoft removes 'user:passwd@site' support

["Richard Hatch" <r.hatch () eris qinetiq com>]

I have read with (initial) interest (some of) the posts about Microsoft
removing the user:password@site format support for URLs.

OK, so some people have valid URLs of the fc () all net type.
As the saying goes, deviate from a standard (or RFC) at your own peril.

Was Microsoft 'wrong' to simply remove this support?  Maybe.
Were people wrong to register domain names with reserved characters? Maybe.

I am not a Microsoft fan, but given the huge number of email scams relying
on this type of URL, something clearly had to be done to help protect users.
Microsoft could have simply said "It's not our fault, we can't fix this
without breaking other things".

I find it curious that this type of response has not been prompted by the
"Hide known file extensions" feature of Windows.
People may think "Why is someone I don't know sending me anna.jpg?" before
they click on the file.
If the filename was anna.jpg.exe, most users think that something fishy was
going on.

As far as I am concerned, the bottom line is that Microsoft's fix will help
more people than will be affected by it.  If people are so bothered by this,
use a different browser.

It does surprise me that some people in the IT security industry complain
about the lack of security awareness amongst users on one hand, and argue
about keeping support for methods that have been proven to fool users into
click strange URL links.

It seems to me that people are so eager to continue pet arguments (ie
anti-Microsoft) that any action by Microsoft is immediately scorned.

Lets stop the flame wars and get back to sharing information so that users
can be better protected.

R. Hatch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html