Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

5 of 79 comments (clear)

  1. Re:Of Course... by drnlm · · Score: 5, Informative
    To quote the RFC:

    An HTTP URL takes the form:
    http://<host>:<port>/<path>? <searchpart>
    where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed.

    The allowing of username, password in http urls is a convention, but is certainly not the standard. If Microsoft does this, they'll actually be able to claim that IE is more standards-compliant than other browsers that allow the syntax.

    Whether allowing this syntax is a good or bad idea is a completely different debate (and slashdot is arguably the wrong forum to discuss it :) ).

  2. Re:Of Course... by EvilJohn · · Score: 3, Informative
    and to Continue Quoting the RFC:
    3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data:
    //<user>:<password>@<host>:<port>/<url-path>
    ...and so on. The RFC seems to allow indicate this indeed is a valid URL contruction.
    --

    Less Talk, More Beer.
  3. Re:Of Course... by gbjbaanb · · Score: 2, Informative

    its not terribly clear, but HTTP is not part of the 'Common Internet Scheme'. Look at section 3.3 where it gives the scheme for HTTP fully.

    The only ones that do make use of user:passwd are ftp and telnet.

  4. Re:Hell of a work around by ShaggyZet · · Score: 2, Informative

    Yes, there is a bug. If the phisher puts a special character before the @ sign, then the url bar in the browser doesn't display the true destination. So educated or not, the user has no idea that they aren't really talking to citibank, fdic, etc.

  5. Re:Alternate solutions by JabberWokky · · Score: 2, Informative
    Konqueror does this... well, it actually hides the password only, so you still have the form:

    http://username@domain.ext/path/

    If you use username:password, the password goes away when the URL is parsed and stored and used for future hits to the same username/domain pair (for that session).

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien