Full Disclosure mailing list archives
Microsoft removes 'user:passwd@site' support
From: "Richard Hatch" <r.hatch () eris qinetiq com>
Date: Mon, 9 Feb 2004 13:40:17 -0000
I have read with (initial) interest (some of) the posts about Microsoft removing the user:password@site format support for URLs. OK, so some people have valid URLs of the fc () all net type. As the saying goes, deviate from a standard (or RFC) at your own peril. Was Microsoft 'wrong' to simply remove this support? Maybe. Were people wrong to register domain names with reserved characters? Maybe. I am not a Microsoft fan, but given the huge number of email scams relying on this type of URL, something clearly had to be done to help protect users. Microsoft could have simply said "It's not our fault, we can't fix this without breaking other things". I find it curious that this type of response has not been prompted by the "Hide known file extensions" feature of Windows. People may think "Why is someone I don't know sending me anna.jpg?" before they click on the file. If the filename was anna.jpg.exe, most users think that something fishy was going on. As far as I am concerned, the bottom line is that Microsoft's fix will help more people than will be affected by it. If people are so bothered by this, use a different browser. It does surprise me that some people in the IT security industry complain about the lack of security awareness amongst users on one hand, and argue about keeping support for methods that have been proven to fool users into click strange URL links. It seems to me that people are so eager to continue pet arguments (ie anti-Microsoft) that any action by Microsoft is immediately scorned. Lets stop the flame wars and get back to sharing information so that users can be better protected. R. Hatch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft removes 'user:passwd@site' support Richard Hatch (Feb 09)
- Re: Microsoft removes 'user:passwd@site' support user05 (Feb 09)
- Re: Microsoft removes 'user:passwd@site' support Raymond Morsman (Feb 09)