Microsoft To Remove Support For http(s) auth URLs

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on Wednesday January 28, 2004 @03:53AM from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

7 of 79 comments (clear)

Min score:

Reason:

Sort:

first post by Anonymous Coward · 2004-01-28 03:53 · Score: 0, Interesting

You guys make it look like they don't have a workaround for some sites. Read the bottom.
1. Re:first post by Gaijin42 · 2004-01-28 06:38 · Score: 2, Interesting
  
  No, you are incorrect.
  
  the URL standad allows for a username and password, but it is not required. However, the HTTP and HTTPS section of the URL standard specifically disallow the use of a username and password
  
  URL RFC
  
  read section 3 : (some of the text below is garbled, because I dont feel like escaping out all the > and < in the text below, however that does not change the important bits.)
  
  3.3 HTTP
  The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).
  
  The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.
  
  An HTTP URL takes the form:
  
  http://>:/?
  
  where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.
  
  Within the and components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.
darn. by pb · 2004-01-28 04:02 · Score: 4, Interesting

...note that slashdot doesn't allow them either, and for similar reasons. :)

http://goatse.cx%01%00@microsoft.com/ <-- I wonder why?

--
pb Reply or e-mail; don't vaguely moderate.
What a crap way around fixing the security hole by a.koepke · 2004-01-28 04:02 · Score: 4, Interesting

The reason they are doing this is due to the security hole that was found in IE recently.

Instead of fixing the bug that is causing they security hole they remove the feature. How stupid and dumb is that? It is more-or-less saying, "We have got no idea how to program and cannt make enough sense of our own code to fix a security issue."

--

(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Re:An RFC violation or just an interface change? by gbjbaanb · 2004-01-28 04:57 · Score: 2, Interesting

I'm not sure that's correct. The browser relies on the inet dlls to make connections - and they will be the bits that are changed. (ie. the edit field in the browser will not parse the text, it'll pass it on to the comms subsystem).

If MS alters the inet dlls then, all http communications will be affected by the change, and so the server will never see any packets even if you connect via scripts. (which is a good thing, you don't want a vbs script to auto-open hackers.com@www.ebay.com)

I think its only a matter of time before the other browsers fix their systems to work in the same way - the feature is not standards compliant, so .. best get rid of it now (and not get hit with a similar exploit).
Re:Hell of a work around by __past__ · 2004-01-28 05:21 · Score: 2, Interesting

There Is No Bug. URLs with username/password parts work as they should in IE - but this, technically proper, behaviour is exploitable. It is not a technical problem, more like a way of social engineering - uneducated users or users that don't pay much attention to the URL may interpret it differently that the Browser does. So it is pretty much impossible to "fix it properly".
This "solution" still sucks, there are good reasons to use such URLs, and for many of them, you explicitly do not want a popup. The 1und1 "@-domains" are not one of those however, these idiots deserve to suffer (and the morons who paid for this... well, a fool and his money...)

--
Programming can be fun again. Film at 11.
Re:Alternate solutions by bobv-pillars-net · 2004-01-28 08:44 · Score: 2, Interesting
Just to play devil's advocate, let's suppose I were a Microsoft programmer, considering the following two options:
1. Make the following changes to Internet Explorer and related software:
  - Change the display code to recognize a special class of URLs which should be treated differently from other URL's.
  - Create a special function and associated UI elements to deal with such URL's.
  - Test and refine the implementation until computer novices do the right thing automatically.
2. Disable a feature that has caused negative publicity since its implementation.
Keep in mind that in order to justify my choice to upper management, I must prove that it generates the most profit for the least investment.

Hmm.......
--
The Web is like Usenet, but
the elephants are untrained.