Microsoft To Remove Support For http(s) auth URLs

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on Wednesday January 28, 2004 @03:53AM from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

79 comments

Min score:

Reason:

Sort:

first post by Anonymous Coward · 2004-01-28 03:53 · Score: 0, Interesting

You guys make it look like they don't have a workaround for some sites. Read the bottom.
1. Re:first post by DjReagan · 2004-01-28 04:09 · Score: 5, Insightful
  
  And you think its a reasonable work-around for an end user to be editing registry entries in order to get functionality that is specified in the RFCs?
  
  --
  "When I grow up, I want to be a weirdo"
2. Re:first post by Anonymous Coward · 2004-01-28 04:12 · Score: 0
  
  That's better than having an insecure machine buddy.
3. Re:first post by aminorex · 2004-01-28 04:12 · Score: 1
  
  You're kidding, right? Their workarounds
  include such gems as "rewrite the object"
  and suggestions to use Microsoft-proprietary
  nonstandard mechanisms.
  
  --
  -I like my women like I like my tea: green-
4. Re:first post by Gaijin42 · 2004-01-28 04:59 · Score: 1
  
  When the RFC actually specifies that a username and password ARE NOT ALLOWED, I think that is quite reasonable to eliminate a security threat, AND become more in line with the actual standard.
5. Re:first post by drakaan · 2004-01-28 06:14 · Score: 1
  
  Which is a nice enough statement, except that the RFC doesn't say that they're not allowed, it says they "may be axcluded".
  I'll agree that putting a username:password pair in the url typed into a secure url is stupid if you value security, but not allowing it at all does not make IE any more or less compliant with the RFC.
  
  --
  "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
6. Re:first post by Gaijin42 · 2004-01-28 06:38 · Score: 2, Interesting
  
  No, you are incorrect.
  
  the URL standad allows for a username and password, but it is not required. However, the HTTP and HTTPS section of the URL standard specifically disallow the use of a username and password
  
  URL RFC
  
  read section 3 : (some of the text below is garbled, because I dont feel like escaping out all the > and < in the text below, however that does not change the important bits.)
  
  3.3 HTTP
  The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
  
  The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.
  
  An HTTP URL takes the form:
  
  http://>:/?
  
  where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
  
  Within the and components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.
7. Re:first post by drakaan · 2004-01-28 06:54 · Score: 1
  
  Well, dammit, you could have at least mentioned some of that before forcing me to read only the first 5 pages of the RFC and making myself look like an ass. This is slashdot, for crying out loud...I don't have time to check the facts thoroughly, that's YOUR job ;)
  Good info, I stand corrected.
  
  --
  "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
8. Re:first post by anthony_dipierro · 2004-01-28 12:22 · Score: 1
  
  Of course. RFCs are just requests for comments. They are broken constantly, in fact, it's impossible to follow them all, because they contradict themselves.
  
  But hey, maybe my computer should support aviary carriers without editing registry entries. Cause hey, it's specified in an RFC.
Alternate solutions by jtheory · 2004-01-28 03:58 · Score: 4, Insightful

I understand why they'd want to disable that format... but it is a standard, after all -- why not just pop up a warning showing the site you're really going to?

--
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
1. Re:Alternate solutions by Anonymous Coward · 2004-01-28 04:05 · Score: 0
  
  RFC's are not standards.
2. Re:Alternate solutions by Marillion · 2004-01-28 04:14 · Score: 1
  
  Because the problem is also with the web server that supplied the credientials. I worked with a portal package that logged into a downstream web server, got some aggreagate data, then supplied drill-down links that linked directly to the downstream server that had the authentication information in the URL. The downstream web server was a package that we couldn't modify. Technically, it's the only way (short of exotic technology like Kerberos) to do this with three different computers that shouldn't trust each other.
  We were willing to live with that, out out big hang up was that when your mouse hovered over the link, the status bar displayed the full URL with the plaintext authentication information.
  
  --
  This is a boring sig
3. Re:Alternate solutions by Datoyminaytah · 2004-01-28 04:48 · Score: 1
  
  They may not be called standards, but they are certainly used as standards by almost everyone. They're the closest thing to standards a lot of protocols have.
  
  I'm sure a lot of people following these "standards" don't even know that RFC stands for "Request For Comments".
  
  --
  assert(birth_date<time-86400)
4. Re:Alternate solutions by J'raxis · 2004-01-28 05:19 · Score: 1
  
  RFC1738 states at the very top:
  This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
  (Emphasis added.) Not all RFCs are standards, but many, such as this one, document protocols meant to be or become standards. Some even do become standards whereupon they are relabeled "STD" and renumbered (for example, STD7 is TCP).
  
  --
  Liberty in your lifetime
5. Re:Alternate solutions by Anonymous Coward · 2004-01-28 05:25 · Score: 0
  
  DARPA loves M$, but M$ hates DARPA's RFCs, so, DARPA loves M$ for users' insecurities.
  open4free
6. Re:Alternate solutions by Anonymous Coward · 2004-01-28 05:28 · Score: 0
  
  So, J'raxis... when are you going to resurrect your The WIPO Troll account?
7. Re:Alternate solutions by Anonymous Coward · 2004-01-28 05:47 · Score: 0
  
  Hey, I've noticed you've posted several comments with the open4free name. You better register for an account soon, or someone else will get it. Not that I would, though.
8. Re:Alternate solutions by spitzak · 2004-01-28 05:48 · Score: 3, Insightful
  
  After reading all the comments here, I agree that MS's "solution" is bogus. A far better one would be:
  
  1. Fix the status preview. But instead of showing the full path, show the actual URL with the usernae and password stripped, or show it with a leading '@'. This will hide the username/password from casual viewing, something a reply to this same comment said is a problem to his actual use of this scheme in browsers other than IE.
  
  2. If the user clicks on such a link, pop up a box asking if the user really wants to do this. However a relative link (ie from one location with the same name&password to another) does not pop up the box.
  
  3. To be really clever the box can also let the user choose a different name or password, prefilled with the URL values. Be careful to design it so a novice user is absolutely certain to cancel the box rather than hit ok.
9. Re:Alternate solutions by MindStalker · 2004-01-28 06:23 · Score: 1
  
  What we need is a setting that default to off, for turning this ability back on.
10. Re:Alternate solutions by bobv-pillars-net · 2004-01-28 08:44 · Score: 2, Interesting
  Just to play devil's advocate, let's suppose I were a Microsoft programmer, considering the following two options:
  
  Make the following changes to Internet Explorer and related software:
  
  Change the display code to recognize a special class of URLs which should be treated differently from other URL's.
  
  Create a special function and associated UI elements to deal with such URL's.
  
  Test and refine the implementation until computer novices do the right thing automatically.
  
  Disable a feature that has caused negative publicity since its implementation.
  
  Keep in mind that in order to justify my choice to upper management, I must prove that it generates the most profit for the least investment.
  
  Hmm.......
  --
  The Web is like Usenet, but
  the elephants are untrained.
11. Re:Alternate solutions by Anonymous Coward · 2004-01-28 09:10 · Score: 0
  
  My problem with IE is that it tends to not only hide the password, but that, on FTP sites, it will hide the username, and then sometimes it will decide the @ symbol is part of the site hostname? It's weird and does strange things.
  
  Not to mention that / on an FTP site often puts me in my home directory on IE, not the root directory, and // doesn't fix the problem, and sometimes IE likes to "clean" URLs that start with ../../ and takes out those path elements without realizing they are imporant.
  
  *shrug* But then again, IE might just suck ;)
12. Re:Alternate solutions by spitzak · 2004-01-28 09:57 · Score: 1
  
  1.1 Part of the problem with IE is that it already treats a class of URL's specially and displays them with the text after the '@' deleted. If it showed then entire text it would be better (though as a lot of people pointed out it won't be that much better). But anyway the test is there already.
  
  1.2 Detecting and somehow dealing with such URL's must be done to "disable" it as well. The parsing is done by the server that IE talks to, not IE. So whatever is done (either not sending it, or popping up a dialog) requires the same amount of work to get started.
  
  1.3 I agree that any dialog would have to be tested. This could be the main reason they decided to do something with no dialog. Although a yes/no question box should have been easy. My more complex suggestion probably is hard, and I think needs lots of testing to make sure people are not tempted to hit "ok".
  
  2. "Disabling the feature" in this case means really adding a feature to detect and not send these URL's.
13. Re:Alternate solutions by JabberWokky · 2004-01-28 11:32 · Score: 2, Informative
  
  Konqueror does this... well, it actually hides the password only, so you still have the form:
  http://username@domain.ext/path/
  If you use username:password, the password goes away when the URL is parsed and stored and used for future hits to the same username/domain pair (for that session).
  --
  Evan
  
  --
  "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
14. Re:Alternate solutions by anthony_dipierro · 2004-01-28 12:24 · Score: 1
  
  On the other hand, http auth URLs are (de facto) standards.
15. Re:Alternate solutions by anthony_dipierro · 2004-01-28 12:28 · Score: 1
  
  Technically, it's the only way (short of exotic technology like Kerberos) to do this with three different computers that shouldn't trust each other.
  
  Well, maybe you consider https user certificates exotic, but even so, you could always use HTTP GET, which is certainly not exotic.
  
  We were willing to live with that, out out big hang up was that when your mouse hovered over the link, the status bar displayed the full URL with the plaintext authentication information.
  
  So why use plaintext? Encrypt it.
16. Re:Alternate solutions by Marillion · 2004-01-28 17:21 · Score: 1
  
  No, the downstream server (An off-the-shelf timeclock system) was a canned product. It used BASIC authentication. There is a portal product which is a little bit client, and a little bit server. And, of course, the end users' browser. The user logs into the portal site and gets a summary of hours worked. (among other things.) The timeclock system released the hours because the portal site impersonated the end user and provided the data to be scrapped be the portal. Both the portal and timeclock system authenticated to a central password system (eDir), to the time clock system demands basic authentication from anyone who asks for data (good for it) and a portal is just another browser. The fact a user logged into the portal has no relevance if the user want to follow a link on the portal site and get more information like shift assignments or trading shifts with someone else. The links on the portal site were built with the username password in them save the user the hassle of signing in twice when he transitioned off the portal site to the timeclock site.
  
  --
  This is a boring sig
17. Re:Alternate solutions by Anonymous Coward · 2004-01-28 18:03 · Score: 0
  
  Yeah, my ISP's FTP site requires me to login with my email address, and having two "@" symbols confuses the hell out of IE. It's URL parsing seems totally screwed, so maybe it might make sense to drop this feature (temporarily)
Actually a bug fix for the IE spoofing problem by joncarwash · 2004-01-28 04:00 · Score: 5, Insightful

According to the Microsoft KB article itself, this is actually a fix for the IE spoofing problem reported in late 2003:

A malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com: http://www.wingtiptoys.com@example.com

Despite the negative side-effect, this update is actually a fix for a large security issue in IE. Phishing has become a big problem recently, especially since Microsoft acknowledged the bug in IE. Now if users actually run the update, and then check to see the actual address to which they are giving information, phishing may not be as big of a problem.

--
A computer is a valuable tool, so use it and stop whining.
1. Re:Actually a bug fix for the IE spoofing problem by Anonymous Coward · 2004-01-28 10:26 · Score: 0
  
  Whordges. A few points.
  
  1. No shit it's to fix that bug.
  
  2. It's a bad way to fix it.
  
  3. I slept with your mom last night.
  
  4. You are a whore.
Of Course... by alexpage · 2004-01-28 04:01 · Score: 4, Insightful

Because breaking standards compliance is a much better solution than fixing your fucking software in the first place!

There are several browsers which implement this feature without it being a security hole or risk. This is yet more evidence of Microsoft's inadequate attempts to provide a decent product, and yet more reason to advocate for unbundling IE - what incentive to M$ have to create a decent browser if their POS is installed on most desktops by default?

Then again, it's more reason for people to switch away to a proper web browser, so I guess it's not all bad news...
1. Re:Of Course... by drnlm · 2004-01-28 04:16 · Score: 5, Informative
  
  To quote the RFC:
  An HTTP URL takes the form:
  http://<host>:<port>/<path>? <searchpart>
  where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed.
  The allowing of username, password in http urls is a convention, but is certainly not the standard. If Microsoft does this, they'll actually be able to claim that IE is more standards-compliant than other browsers that allow the syntax.
  Whether allowing this syntax is a good or bad idea is a completely different debate (and slashdot is arguably the wrong forum to discuss it :) ).
2. Re:Of Course... by alexpage · 2004-01-28 04:27 · Score: 1
  
  You could always take the M$ line and claim that http://user:password@host:port/ is a "standard" just because it's so widely used... ;)
3. Re:Of Course... by gbjbaanb · 2004-01-28 04:33 · Score: 1
  
  Interesting to note that the only thing at issue is the change they made to IE6 that simply displayed the part of the URL after the '@' sign - previous versions displayed the whole URL, username, password and all.
  No-one cared before that change.
4. Re:Of Course... by alexpage · 2004-01-28 05:06 · Score: 1
  
  Your inability to spot a smiley?... Check
  My +3 karma (at time of posting this comment) from my original comment?... Check
5. Re:Of Course... by EvilJohn · 2004-01-28 05:08 · Score: 3, Informative
  
  and to Continue Quoting the RFC:
  3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data:
  
  //<user>:<password>@<host>:<port>/<url-path>
  ...and so on. The RFC seems to allow indicate this indeed is a valid URL contruction.
  
  --
  
  Less Talk, More Beer.
6. Re:Of Course... by Dr.Dubious+DDQ · 2004-01-28 05:23 · Score: 1
  
  I was beginning to wonder - so the RFC says that HTTP(S) is an EXCEPTION to the RFC-Standard
  proto://(user):(password)@(host):(port)/(url)
  scheme?
  
  Personally, I've gotten used to "fish://(user):(password)@(host)" and "webdav://(user):(password)@(host)" and "ftp://(user):(password)@(host)" and so on...It'd annoy me to have it removed. I suppose just removing it from http(s) wouldn't be TOO bad...
  
  --
  Hacker Public Radio is our Friend
7. Re:Of Course... by gbjbaanb · 2004-01-28 05:27 · Score: 2, Informative
  
  its not terribly clear, but HTTP is not part of the 'Common Internet Scheme'. Look at section 3.3 where it gives the scheme for HTTP fully.
  
  The only ones that do make use of user:passwd are ftp and telnet.
8. Re:Of Course... by millette · 2004-01-28 07:48 · Score: 1
  
  The grand-parent post was quoting section 3.3, so saying "To continue Quoting" is a little bit misleading.
  The way I see it, 3.1 describes in a very general way what might be acceptable in a url. It sort makes sense that not all schemes will need/support all varieties. So 3.3 points our clearly what a url for the http/https scheme is.
  But it was a nice try ;)
darn. by pb · 2004-01-28 04:02 · Score: 4, Interesting

...note that slashdot doesn't allow them either, and for similar reasons. :)

http://goatse.cx%01%00@microsoft.com/ <-- I wonder why?

--
pb Reply or e-mail; don't vaguely moderate.
1. Re:darn. by Imperator · 2004-01-28 04:14 · Score: 2, Funny
  
  Actually this bug works in the opposite order--the first string is the one that's displayed. Then again, maybe your meant that: after all, it's not inconceivable that people would be more willing to give their credit card number over to the goatse guy than to Microsoft...
  
  --
  
  Gates' Law: Every 18 months, the speed of software halves.
2. Re:darn. by pb · 2004-01-28 04:17 · Score: 3, Funny
  
  Well, you know, the difference between Bill Gates and the goatse.cx guy... one is a giant asshole, well-known and feared by many, and the other one is just a regular guy with a personal website for himself...
  
  --
  pb Reply or e-mail; don't vaguely moderate.
3. Re:darn. by millette · 2004-01-28 06:43 · Score: 1
  
  just try http://goatse.cx/, trust me. It's been dead since the 16th at least.
4. Re:darn. by andfarm · 2004-01-28 15:33 · Score: 1
  
  How about this [www.google.com] kind of redirection?
  
  --
  TANSTAAFI: There Ain't No Such Thing As A Free iPod.
5. Re:darn. by andfarm · 2004-01-28 15:35 · Score: 1
  
  Whoops, mistyped that. Try this instead.
  
  --
  TANSTAAFI: There Ain't No Such Thing As A Free iPod.
What a crap way around fixing the security hole by a.koepke · 2004-01-28 04:02 · Score: 4, Interesting

The reason they are doing this is due to the security hole that was found in IE recently.

Instead of fixing the bug that is causing they security hole they remove the feature. How stupid and dumb is that? It is more-or-less saying, "We have got no idea how to program and cannt make enough sense of our own code to fix a security issue."

--

(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
1. Re:What a crap way around fixing the security hole by ivan256 · 2004-01-28 04:59 · Score: 1
  
  No, what they're saying is that the people making the decisions are not the people who understand the problem. Instead they're being made by people with a bigger paycheck that base the decision on "risk assessments" and personal hot buttons. That type of thing happens in amost every organization that grows to over 50 people.
  
  What probably happened here is that some manager found out that the risk of the feature being exploitable was practically non existent if they fixed the bug, but completely non existent if they removed the feature, so they picked the solution least likely to get them fired.
ROFL by Imperator · 2004-01-28 04:12 · Score: 4, Insightful

This is hilarious. There's a bug in IE that's being exploited to steal credit card information. MS evidently hasn't figured out how to fix it so they'll remove support for a whole feature of HTTP.

I'm starting to see a pattern here. IE has standards-compliance issues and MS doesn't seem to be making any moves to increase standards support or support additional standards. The IE rendering engine hasn't really changed in years now and there aren't any plans on the horizon either. A bug that should be simple to fix hasn't been fixed in weeks (months?) and before they release a fix, they're releasing a workaround to one of the (several) problems that the bug is causing.

My conclusion? The IE code base is a mess. Like Netscape 4, it's grown too fast and with too little control from competent engineers. Forget things like proper CSS2 support: the IE team can't even wrestle the code to fix a simple bug. I wouldn't be surprised if MS has for some time now been in the process of rewriting IE (or substantial parts of it) from scratch. After all, it worked for the Mozilla Project.

--

Gates' Law: Every 18 months, the speed of software halves.
1. Re:ROFL by Anonymous Coward · 2004-01-28 04:26 · Score: 0
  
  After all, it worked for the Mozilla Project.
  Too bad the Mozilla people negated the improvements by implementing the abortion known as XUL.
2. Re:ROFL by gbjbaanb · 2004-01-28 04:46 · Score: 0
  
  Get a clue before posting please. The problem is that IE is *not* standards compliant because it allows URLs with the user:passwd@host scheme.
  
  Other browsers that do this are similarly broken. This is the bug, that and IE6 doesn't display the user/passwd in the title bar (which you'd expect really - really want your password displayed for all to see?).
  
  So, if other browsers support this URL scheme, and hide the parts before the @ sign, then they're ready for exploitation too.
3. Re:ROFL by Uncle+Warthog · 2004-01-28 05:42 · Score: 1
  
  Get a clue yourself. RFC1738 lists it as a valid syntax. See section 3.1 if you don't believe me.
  Other RFC's list this syntax as "NOT RECOMMENDED" as it exposes the account information in plaintext, a sentiment I agree with. On the other hand, I realize that sometimes it needs to be used or security isn't that much of an issue and it is part of the standard.
4. Re:ROFL by imr · 2004-01-28 05:54 · Score: 2, Insightful
  
  I think the situation is even worse than that:
  they tied the browser to the os and now they cant fix the browser without breaking everything that is tied to it. And that means all software, not only redmond's, that is based upon those components.
  Therefore, they can't apply one patch without tons of tests and that means time. So for a quick fix, they can't do anything but nerf the feature.
  But don't worry, with .net and longhorn, things will get integrated even thighter into the os. Welcome to .netmare.
  
  Meanwhile, having source code available and system and apps clearly separated under linux, it's just a matter of recompiling, fixing the eventual bug in the third party apps, and then the users just have to:
  urpmi
  apt get
  yum
  emerge
  download the bunch of tgz
  whatever their preference is, and everithing is upgraded at once.
  
  Which reminds me of this work of this guy from cambridge who kinda proved that free software and proprietary's are equally secure bug wise, because after a certain amount of bugs, it takes the same time to find the next one. I bet he didnt include the bug fixing time in his equation. If you find the next bug at the same time but cant fix it for one month or are obliged to kill the features, because you can introduce new bugs outside your scope, I wouldnt say they are equally secure bug fixing wise..
5. Re:ROFL by Mikkeles · 2004-01-28 06:36 · Score: 1
  
  Section 3.1 is the common section. Each scheme is further specified in its own section.
  For HTTP, from RFC1738, we have (emphasis added by me):
  
  3.3. HTTP
  
  The HTTP URL scheme is used to designate Internet resources
  accessible using HTTP (HyperText Transfer Protocol).
  
  The HTTP protocol is specified elsewhere. This specification only
  describes the syntax of HTTP URLs.
  
  An HTTP URL takes the form:
  
  http://<host>:<port>/<path>?<searchpart>,
  
  where <host> and <port> are as described in Section 3.1. If :<port>
  is omitted, the port defaults to 80. No user name or password is
  allowed. <path> is an HTTP selector, and <searchpart> is a query
  string. The <path> is optional, as is the <searchpart> and its
  preceding "?". If neither <path> nor <searchpart> is present, the "/"
  may also be omitted.
  
  Within the <path> and <searchpart> components, "/", ";", "?" are
  reserved. The "/" character may be used within HTTP to designate a
  hierarchical structure.
  
  So, no user:password for http
  
  --
  Great minds think alike; fools seldom differ.
6. Re:ROFL by bergeron76 · 2004-01-28 15:52 · Score: 1
  
  Breaking standards is just part of their bigger strategy -
  dividing the internet in two.
  
  I think they are trying to create a Microsoft internet, and a non-Microsoft internet. I'm finding more and more places where Microsoft is becoming "standardized" in places of importance (US Post office "offical" stamps that REQUIRE Microsoft Office software anyone?).
  
  What happened to the RFC's? ANSI, IETF, etc?
  
  In fact, now that I think about it, virtually all of the new Microsoft-only technologies are linked to DRM in some form or another. I can't help but think that they're trying to create an internet that you can be a part of if you have nothing to hide, i.e. an internet where you remove all anonymity. In such a world, they can:
  
  a) guarantee revenue for software (no piracy)
  
  b) solve the worlds problems by making every user accountable / trackable
  
  c) profit!
  
  They're going to make Linux users, etc. out to be "hackers" and the "dark side of the internet". They're going to point out that in their safe, accountable, Disney-like theme-park-of-the-internet [MSN], you will be completely safe to roam the park, with no fears (and with NO sense of reality - have you EVER seen a Disney character with their suit-headress off? - NO, Disney does that by design!)... The result is going to be a fantasy-land where there is no reality and there is no human thought. Those butterfly commercials are just the beginning. Oh yah, you'll need a Microsoft ReplayTV box to see "suitable" television too.
  
  Let's just hope the FTC doesn't allow the inevitable Microsoft+Disney+MSNBC+BuenaVista Movie Studio merger.
  
  I pray that consumer rights groups keep a very CLOSE eye on every MSFT tentacle. I'm very wary of the goals of the company that's _already_ the most powerful company on Earth.
  
  Breaking the standards is just one facet of the Microsoft machine.
  
  Mod this as flamebait if you feel you have to, but be willing to come back and mod me back up in 2 years after it's happened (if you're on this side of the internet or if slashdot.org is "allowed" content).
  
  --
  Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
7. Re:ROFL by tiger99 · 2004-01-29 06:37 · Score: 1
  
  Yes, the illegally commingled code, which was delibarately done in such a way that the court could not make them untangle it, is the root of the problem.
  Sound programming practice, as used by everyone everywhere (except in Redmond) who develops serious programs is to have a modular layout with diverse things separated, in separate dlls for example, and not all mixed up the way it currently is. It is a true reflection of Bill's random mind.
  As for Longhorn, they are cutting down the APIs drastically so it will break almost every existing application. It will be their downfall, when poeple find that what will no longer run on a M$ OS will run on Linux under Wine or one of its variants.
The LOGICAL thing by metalhed77 · 2004-01-28 04:28 · Score: 1

Well, if they want to do it logically, they could remove ambiguity by auto-reformating URLs so that www.citibank.com@hax0rheaven.com gets displayed as something like

hax0rheaven.com username:www.citibank.com .

With username as a seperate field adjacent to the URL bar. Or whatever their UI gurus come up with as long as it is distinctly seperated from the domain.

They could even have it look for things like an URL as a username or password. It won't break the standards; it'll just change the presentation of the URL. I can't imagine why they'd even think of breaking a standard like HTTP or HTTPS in the first place.

--
Photos.
MOD PARENT UP by Anonymous Coward · 2004-01-28 04:30 · Score: 0

Slashbots need to understand that this update is a non-issue. *No* standard is broken by it!
More sensible solution by Ianoo · 2004-01-28 04:32 · Score: 3, Insightful

A far more sensible solution that I would propose is to do the following:

When a URL such as http://user:pass@www.domain/ is entered, display http://www.domain/ in the Address Bar and put "Logged in as user" in the status bar. This work just as well with https URLs, and would also give people a better sense of security since their passwords wouldn't be displayed in the address bar when viewing pages on an authenticated site.

It makes me wonder how much they are paying people to come up with solutions which involve breaking standards in the name of "security" when I can come up with a better idea in under 30 seconds...
1. Re:More sensible solution by Phaid · 2004-01-28 05:05 · Score: 3, Insightful
  
  Agreed, but as Windows is generally targeted at people who don't do things like read status bar text, I'd go one further and, in addition to your solution, actually have a popup like...
  
  "Security Warning"
  
  "You are about to log in to site www.haxorheaven.com, with the following credentials:
  
  username: microsoft.com
  password: %blahfafafofo.
  
  Click "OK" to proceed, "Cancel" to return to the previous page.
  
  [OK] [Cancel]"
  This would make it Really Obvious when someone is trying to misdirect users.
2. Re:More sensible solution by __past__ · 2004-01-28 05:30 · Score: 1
  
  And it would really suck if you'd use it in some script to update your dynamic DNS entry or some such.
  
  --
  Programming can be fun again. Film at 11.
3. Re:More sensible solution by Anml4ixoye · 2004-01-28 05:56 · Score: 1
  
  Unless they just made it an option that you could turn off - but was on by default.
  
  And I highly doubt most people using scripts to do anything is using IE unless the site they are using requires it.
  
  --
  Random Musings
4. Re:More sensible solution by Anonymous Coward · 2004-01-28 18:12 · Score: 0
  
  "Security Warning"
  
  "Opening this attachment may be harmful to your computer and may also DDOS losers like SCO and make the Open Source Community look like Script Kiddie Losers"
  
  Open Save [Cancel]
  ^
  |
An RFC violation or just an interface change? by FilthCatcher · 2004-01-28 04:36 · Score: 1

This may not be as bad as it initially looks.
This only affects IE and not the servers so that any scripts you write to connect to servers using user:pass@domain will still be properly authenticated by the server.

From the user point of view if a site requires authentication, IE will popup a dialogue asking for a username and password like it already does if you haven't already specified the details in the URL.

What you'll lose is the ability to send someone one link that automatically authenticates.

In fact, the communication between IE and the server stays true to the RFC - just that the interface will change to prevent one way of using the RFC being presented directly to the user. For example, there's no box under the URL bar to manually change the referrer field to be sent with your request or there isn't a menu button with dialogue called "add query parameter to URL".
1. Re:An RFC violation or just an interface change? by gbjbaanb · 2004-01-28 04:57 · Score: 2, Interesting
  
  I'm not sure that's correct. The browser relies on the inet dlls to make connections - and they will be the bits that are changed. (ie. the edit field in the browser will not parse the text, it'll pass it on to the comms subsystem).
  
  If MS alters the inet dlls then, all http communications will be affected by the change, and so the server will never see any packets even if you connect via scripts. (which is a good thing, you don't want a vbs script to auto-open hackers.com@www.ebay.com)
  
  I think its only a matter of time before the other browsers fix their systems to work in the same way - the feature is not standards compliant, so .. best get rid of it now (and not get hit with a similar exploit).
Dumbed down browser? by adamshelley · 2004-01-28 04:40 · Score: 0

Maybe microsoft realizes that their products are for people who aren't capable of thinking. Maybe they are dumbing down their product. I wouldn't be surprised if they start distributing IE Home version and IE professional ($200 a pop?). Maybe i'm just trying to be too nice. I can't see them having to remove the whole feature to fix one url handler bug. Maybe their code base is that terrible but i think it has to do with its userbase. Friends don't let friends use IE.
1. Re:Dumbed down browser? by Anonymous Coward · 2004-01-28 04:47 · Score: 0
  
  No, IE is for people who care about performance. Mozilla's ridiculous memory usage and slow responsiveness keeps many geeks from using it. Slashdot once published User agent stats showing that IE dominated all other browsers. There's a reason for that.
2. Re:Dumbed down browser? by Dave2+Wickham · 2004-01-28 06:48 · Score: 1
  
  Judging by people clicking my sig link (so not very good research) it'd seem that Firebird is the current most popular /. browser, followed by IE, then Mozilla. Windows is still the dominant OS on /..
Hell of a work around by bangular · 2004-01-28 05:00 · Score: 1

LMAO. Ok, let me get this straight. Instead of properly fixing the bug, they issue this extravagent work around. Is it really that hard to fix properly? I mean it's been over a month and people are very activly exploiting this problem. I remember MS promising us a couple of years ago their secured computing initiative (or what ever they called it). This doesn't look like much effort to me. Looks more like they don't want to fix the problem properly so they are using this work around of disabling it. Not saying @ urls are particularly useful, but it does make you what else they half ass internally that we never hear about.
1. Re:Hell of a work around by __past__ · 2004-01-28 05:21 · Score: 2, Interesting
  
  There Is No Bug. URLs with username/password parts work as they should in IE - but this, technically proper, behaviour is exploitable. It is not a technical problem, more like a way of social engineering - uneducated users or users that don't pay much attention to the URL may interpret it differently that the Browser does. So it is pretty much impossible to "fix it properly".
  This "solution" still sucks, there are good reasons to use such URLs, and for many of them, you explicitly do not want a popup. The 1und1 "@-domains" are not one of those however, these idiots deserve to suffer (and the morons who paid for this... well, a fool and his money...)
  
  --
  Programming can be fun again. Film at 11.
2. Re:Hell of a work around by DukeyToo · 2004-01-28 06:10 · Score: 2, Insightful
  
  Of course it is possible to fix it properly. All other browsers do it just fine.
  
  And of course it is a bug. It is a bug, because it is not the behavior that the programmers expected when they wrote the browser software.
  
  --
  Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
3. Re:Hell of a work around by ShaggyZet · 2004-01-28 06:14 · Score: 2, Informative
  
  Yes, there is a bug. If the phisher puts a special character before the @ sign, then the url bar in the browser doesn't display the true destination. So educated or not, the user has no idea that they aren't really talking to citibank, fdic, etc.
Incorrect by MarkusQ · 2004-01-28 05:38 · Score: 1

The problem is that IE is *not* standards compliant because it allows URLs with the user:passwd@host scheme.
No, that's part of RFC 1738 (as linked to above). Look at section 3.1 for that exact scheme. This is a case where they are (soon: were) standards compliant.
-- MarkusQ
1. Re:Incorrect by Anonymous Coward · 2004-01-28 05:54 · Score: 0
  
  Read the rest of the RFC you linked. Like 3.3 where it specifically says, "No user name or password is allowed."
2. Re:Incorrect by MarkusQ · 2004-01-28 16:22 · Score: 1
  
  That's for HTTP (where it isn't meaningful anyway) not HTTPS (where it is). The point though is that simply permitting the schema doesn't mean the browser isn't standards compliant, since in some cases it should be allowed. The real issue is, are there bugs in the handling that can be exploited, to which the answer clearly is "yes".
  -- MarkusQ
This is EXACTLY what Opera 7 does ... by Tux2000 · 2004-01-28 06:19 · Score: 1

... except for the wording, and it does not show the password.

Go to http://www.opera.com/ and see for yourself.

Tux2000 <-- Opera is my default browser

--
Denken hilft.
[long] dont @buse the @ sign by bertboerland · 2004-01-31 22:25 · Score: 1

It's not hip anymore, unless you work for a company that is still in the pre-dot-com-hype-cycle, but there used to be a time when putting an @ (at) sign in a name or a brand would create this e-internet feeling. corry even started the //dont abuse the at sign compaign somewhere in 2000.

During the rise of this @buse (atbuse?), a Dutch TV show for kids called z@ppelin started out. It's primary a TV show, but like any multi-channel-format thingy, they ought to have a website as well.

When they first aired their commercials with the URL in it, i felt sorry for all the kids. They url was z@ppelin.nl and I know most RFC's by heart so I //knew at-signs are not allowed in hostnames or domainnames. So typing in this URL would lead the kid towards a friendly IE page cannot be found. And even dad -who works as an IT consultant- couldnt solve it because they never teached him anything about open standards during his elite MCSE training of 4 days.

Or so I thought...

And then the commercial aired again. And again. And I started wondering, they are not that stupid at our national broadcast organisation. And then it hit me, the use the user:password@fullyqualifieddomainname trick; where the user is z, the password is empty which leads to user z @ host ppelin.nl.

So all usering logged in are the user Z and the domainname is ppelin.nl! Neat I thought, cool trick! (See for your self by going to //ppelin.nl)

Years passed... And then... Microsoft f*cked up again, a huge //hole -big enough to drive a truck through- showed up in Internet Exploiter. One can misuse the user:password@fqdn in a bad way. Microso~1 promissed there won't be any hotfixes during the month December 2003. So they ignored this bug. And they ignored... up to the point that banks took down their online service because of the risk of URL spoofing

So micoshaft //wrote an entry in their kbase, asking endusers ... to stop clicking on the blue underline things (we like to call them links) in the browser and type the full URL -including javascript!- in the browser. Well, that didnt do the trick Redmond!

Once their usability is a mousepointer department heared about this -days later- they decided there must be another way. Stop support of putting userid, password in a URL;

Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the @ symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.

(source: //infoworld)

This will not only break the //HTTP standard (now that would be a primer) but also the hearts of thousends of young childeren trying to access http://www.z@ppelin.nl. And not seeing a cute site but a friendly IE page cannot be found error on a saterday morning. I can feel the pain..

--
-- for undocumented cisco commands, take a peek @ dotu