Bugtraq mailing list archives
Re: MS to stop allowing passwords in URLs
From: Gunnar "Östlund" <kalix () dc luth se>
Date: Wed, 04 Feb 2004 09:07:26 +0100
It's probably too late, but rather then removing user:password support altogether, maybe Microsoft could replace it with a dialog that informs the user they are about to visit "session-arhuz.ru" with the username "www.herbank.com", and an appropriate warning about not revealing sensitive information, blahblahblah?
As an answer to the question "Are you sure that you want to... bla,bla ...as this may reveal sensitive information?", 99% of the users will click "Yes" as they always do. Even if the question is phrased "...do you wish to abort this action?", most users will simply try a few times by clicking "yes" and finally actually read the question and the warning before clicking "no". The problem is that most people do not cultivate the high-grade paranoia that most readers of Bugtraq do, and that is what makes security so difficult to implement, especially if security is to be retrofitted to a protocol or product. People make the choices that is most convenient to their daily use; allow everything, don't upgrade, don't patch. In fact, most people don't even know why they should patch. I've even heard the urban legend that running Microsoft Update is dangerous as your computer may get infected by computer viruses that way. -- Gunnar Ostlund Tel: +46 920 492039 Computer Support Centre Email: Gunnar.Ostlund () dc luth se Lulea University of Technology S-971 87 Lulea Sweden
Current thread:
- MS to stop allowing passwords in URLs McAllister, Andrew (Feb 02)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)
- Message not available
- Re: MS to stop allowing passwords in URLs Paul Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Richard M. Smith (Feb 03)