Slashdot Mirror
Microsoft To Remove Support For http(s) auth URLs
damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."
You guys make it look like they don't have a workaround for some sites. Read the bottom.
I understand why they'd want to disable that format... but it is a standard, after all -- why not just pop up a warning showing the site you're really going to?
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
According to the Microsoft KB article itself, this is actually a fix for the IE spoofing problem reported in late 2003:
Despite the negative side-effect, this update is actually a fix for a large security issue in IE. Phishing has become a big problem recently, especially since Microsoft acknowledged the bug in IE. Now if users actually run the update, and then check to see the actual address to which they are giving information, phishing may not be as big of a problem.
A computer is a valuable tool, so use it and stop whining.
Because breaking standards compliance is a much better solution than fixing your fucking software in the first place!
There are several browsers which implement this feature without it being a security hole or risk. This is yet more evidence of Microsoft's inadequate attempts to provide a decent product, and yet more reason to advocate for unbundling IE - what incentive to M$ have to create a decent browser if their POS is installed on most desktops by default?
Then again, it's more reason for people to switch away to a proper web browser, so I guess it's not all bad news...
Of course they are going to be better than linux after all they paid for the study.
Life is good then we code some more then life is better. !#/usr/bash exec=sco
...note that slashdot doesn't allow them either, and for similar reasons. :)
http://goatse.cx%01%00@microsoft.com/ <-- I wonder why?
pb Reply or e-mail; don't vaguely moderate.
The reason they are doing this is due to the security hole that was found in IE recently.
Instead of fixing the bug that is causing they security hole they remove the feature. How stupid and dumb is that? It is more-or-less saying, "We have got no idea how to program and cannt make enough sense of our own code to fix a security issue."
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Family Reunion
By Mavis Applewater
September 2003
Disclaimers, the characters and story are the sole possession of the author and may not be reproduced, posted or sold without the author's permission. If for any reason real or imagined you are uncomfortable with graphic descriptions of two consenting adult women in a loving and sexual relationship then do not read this story or anything else I have ever written. If for any reason it is illegal for you to view this material then get the heck out here and do not return until it is no longer a crime.
A very special thank you goes out to my beta reader Mary.
As always this is for Heather.
When I was about thirteen years old my parents split up. Not an uncommon occurrence at the time as most of my friends had experienced the same life-altering event. Yet, I withdrew even though along with my two brothers I had to agree that the end of our parent's marriage was a blessing. The arguments during the last two years of their marriage wore heavily on all of us. Still on the day my father moved out I felt devastated. A couple of years later I began to act out. My teenage rebellion had hit like a tidal wave, and by the time I was sixteen my father announced that he had met someone new.
I honestly don't know why it freaked me out so much. Perhaps I still harbored a glimmer of hope that my parents would get back together, and the bliss that existed before the hateful words would return. After my parents began to lead separate lives they actually got along really well. Funny isn't it? I spent years praying that they would leave one another only to start praying that they would find one another again.
What can I say when you're a kid you think all sorts of crazy things. For the next year I dealt with my father's new relationship with Shelia (that was her name), who I didn't like, with typical teenage class and finesse. I drank, I smoked, I stayed out all night, and ran around with the wrong crowd. Basically I did anything I could to add more gray hairs to my weary parents' heads.
My main problem was that I really didn't like Shelia. I tried at first, but she was so phony. She'd be all sweet and charming in front of my Dad and the moment his back was turned she turned into nagging conniving bitch. It was like hanging around with Sybil. She would try to pry us for information about our Mom, what kind of car she drove, how much alimony was my Dad paying her, and other weird stuff that I didn't think was any of her business. The only thing I liked about Shelia was her kid Madeline. Madeline was very sweet even though she never said much; she simply hid away from everything usually with a book.
I liked Madeline for many reasons. First, she was nothing like her mother, and secondly, she had to be the most adorable girl you'd ever want to meet. She had sparkling, green eyes and sandy blonde hair and the most amazing breasts. Alas there was the other reason for my teenage angst reaching catastrophic proportions. I was starting to realize that I really liked girls. And it really irked me when I realized that I had the hots for the daughter of my father's girlfriend. It was bad enough lusting after Dawn Jennings, the head cheerleader, who was straighter than straight, but Madeline was practically a member of the family. Plus her Mother was a witch who would have skewered me for being a dyke never mind harboring naughty thoughts about her precious little girl.
Madeline, to her credit, never seemed to notice my lustful desires and remained just as sweet as possible. I always wanted to meet her father; since I suspect that she must take after him and not the woman who was doing every thing she could to empty my poor Dad's bank account.
Now by the time I hit seventeen my poor Mother was at her wit's end as to what to do with me. I had one more year of high school and she really wanted me to go to college. By the way I was acting I was more likely heading towards juvenile hall rather than college. Now I unde
This is hilarious. There's a bug in IE that's being exploited to steal credit card information. MS evidently hasn't figured out how to fix it so they'll remove support for a whole feature of HTTP.
I'm starting to see a pattern here. IE has standards-compliance issues and MS doesn't seem to be making any moves to increase standards support or support additional standards. The IE rendering engine hasn't really changed in years now and there aren't any plans on the horizon either. A bug that should be simple to fix hasn't been fixed in weeks (months?) and before they release a fix, they're releasing a workaround to one of the (several) problems that the bug is causing.
My conclusion? The IE code base is a mess. Like Netscape 4, it's grown too fast and with too little control from competent engineers. Forget things like proper CSS2 support: the IE team can't even wrestle the code to fix a simple bug. I wouldn't be surprised if MS has for some time now been in the process of rewriting IE (or substantial parts of it) from scratch. After all, it worked for the Mozilla Project.
Gates' Law: Every 18 months, the speed of software halves.
Well, if they want to do it logically, they could remove ambiguity by auto-reformating URLs so that www.citibank.com@hax0rheaven.com gets displayed as something like
.
hax0rheaven.com username:www.citibank.com
With username as a seperate field adjacent to the URL bar. Or whatever their UI gurus come up with as long as it is distinctly seperated from the domain.
They could even have it look for things like an URL as a username or password. It won't break the standards; it'll just change the presentation of the URL. I can't imagine why they'd even think of breaking a standard like HTTP or HTTPS in the first place.
Photos.
Slashbots need to understand that this update is a non-issue. *No* standard is broken by it!
A far more sensible solution that I would propose is to do the following:
When a URL such as http://user:pass@www.domain/ is entered, display http://www.domain/ in the Address Bar and put "Logged in as user" in the status bar. This work just as well with https URLs, and would also give people a better sense of security since their passwords wouldn't be displayed in the address bar when viewing pages on an authenticated site.
It makes me wonder how much they are paying people to come up with solutions which involve breaking standards in the name of "security" when I can come up with a better idea in under 30 seconds...
This may not be as bad as it initially looks.
This only affects IE and not the servers so that any scripts you write to connect to servers using user:pass@domain will still be properly authenticated by the server.
From the user point of view if a site requires authentication, IE will popup a dialogue asking for a username and password like it already does if you haven't already specified the details in the URL.
What you'll lose is the ability to send someone one link that automatically authenticates.
In fact, the communication between IE and the server stays true to the RFC - just that the interface will change to prevent one way of using the RFC being presented directly to the user. For example, there's no box under the URL bar to manually change the referrer field to be sent with your request or there isn't a menu button with dialogue called "add query parameter to URL".
Maybe microsoft realizes that their products are for people who aren't capable of thinking. Maybe they are dumbing down their product. I wouldn't be surprised if they start distributing IE Home version and IE professional ($200 a pop?). Maybe i'm just trying to be too nice. I can't see them having to remove the whole feature to fix one url handler bug. Maybe their code base is that terrible but i think it has to do with its userbase. Friends don't let friends use IE.
LMAO. Ok, let me get this straight. Instead of properly fixing the bug, they issue this extravagent work around. Is it really that hard to fix properly? I mean it's been over a month and people are very activly exploiting this problem. I remember MS promising us a couple of years ago their secured computing initiative (or what ever they called it). This doesn't look like much effort to me. Looks more like they don't want to fix the problem properly so they are using this work around of disabling it. Not saying @ urls are particularly useful, but it does make you what else they half ass internally that we never hear about.
The problem is that IE is *not* standards compliant because it allows URLs with the user:passwd@host scheme.
No, that's part of RFC 1738 (as linked to above). Look at section 3.1 for that exact scheme. This is a case where they are (soon: were) standards compliant.
-- MarkusQ
... except for the wording, and it does not show the password.
Go to http://www.opera.com/ and see for yourself.
Tux2000 <-- Opera is my default browser
Denken hilft.
It's not hip anymore, unless you work for a company that is still in the pre-dot-com-hype-cycle, but there used to be a time when putting an @ (at) sign in a name or a brand would create this e-internet feeling. corry even started the //dont abuse the at sign compaign somewhere in 2000.
//knew at-signs are not allowed in hostnames or domainnames. So typing in this URL would lead the kid towards a friendly IE page cannot be found. And even dad -who works as an IT consultant- couldnt solve it because they never teached him anything about open standards during his elite MCSE training of 4 days.
//ppelin.nl)
//hole -big enough to drive a truck through- showed up in Internet Exploiter. One can misuse the user:password@fqdn in a bad way. Microso~1 promissed there won't be any hotfixes during the month December 2003. So they ignored this bug. And they ignored... up to the point that banks took down their online service because of the risk of URL spoofing
//wrote an entry in their kbase, asking endusers ... to stop clicking on the blue underline things (we like to call them links) in the browser and type the full URL -including javascript!- in the browser. Well, that didnt do the trick Redmond!
//infoworld)
//HTTP standard (now that would be a primer) but also the hearts of thousends of young childeren trying to access http://www.z@ppelin.nl. And not seeing a cute site but a friendly IE page cannot be found error on a saterday morning. I can feel the pain..
During the rise of this @buse (atbuse?), a Dutch TV show for kids called z@ppelin started out. It's primary a TV show, but like any multi-channel-format thingy, they ought to have a website as well.
When they first aired their commercials with the URL in it, i felt sorry for all the kids. They url was z@ppelin.nl and I know most RFC's by heart so I
Or so I thought...
And then the commercial aired again. And again. And I started wondering, they are not that stupid at our national broadcast organisation. And then it hit me, the use the user:password@fullyqualifieddomainname trick; where the user is z, the password is empty which leads to user z @ host ppelin.nl.
So all usering logged in are the user Z and the domainname is ppelin.nl! Neat I thought, cool trick! (See for your self by going to
Years passed... And then... Microsoft f*cked up again, a huge
So micoshaft
Once their usability is a mousepointer department heared about this -days later- they decided there must be another way. Stop support of putting userid, password in a URL;
Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the @ symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.
(source:
This will not only break the
-- for undocumented cisco commands, take a peek @ dotu