Microsoft To Remove Support For http(s) auth URLs

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on Wednesday January 28, 2004 @03:53AM from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

23 of 79 comments (clear)

Min score:

Reason:

Sort:

Alternate solutions by jtheory · 2004-01-28 03:58 · Score: 4, Insightful

I understand why they'd want to disable that format... but it is a standard, after all -- why not just pop up a warning showing the site you're really going to?

--
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
1. Re:Alternate solutions by spitzak · 2004-01-28 05:48 · Score: 3, Insightful
  
  After reading all the comments here, I agree that MS's "solution" is bogus. A far better one would be:
  
  1. Fix the status preview. But instead of showing the full path, show the actual URL with the usernae and password stripped, or show it with a leading '@'. This will hide the username/password from casual viewing, something a reply to this same comment said is a problem to his actual use of this scheme in browsers other than IE.
  
  2. If the user clicks on such a link, pop up a box asking if the user really wants to do this. However a relative link (ie from one location with the same name&password to another) does not pop up the box.
  
  3. To be really clever the box can also let the user choose a different name or password, prefilled with the URL values. Be careful to design it so a novice user is absolutely certain to cancel the box rather than hit ok.
2. Re:Alternate solutions by bobv-pillars-net · 2004-01-28 08:44 · Score: 2, Interesting
  Just to play devil's advocate, let's suppose I were a Microsoft programmer, considering the following two options:
  
  Make the following changes to Internet Explorer and related software:
  
  Change the display code to recognize a special class of URLs which should be treated differently from other URL's.
  
  Create a special function and associated UI elements to deal with such URL's.
  
  Test and refine the implementation until computer novices do the right thing automatically.
  
  Disable a feature that has caused negative publicity since its implementation.
  
  Keep in mind that in order to justify my choice to upper management, I must prove that it generates the most profit for the least investment.
  
  Hmm.......
  --
  The Web is like Usenet, but
  the elephants are untrained.
3. Re:Alternate solutions by JabberWokky · 2004-01-28 11:32 · Score: 2, Informative
  
  Konqueror does this... well, it actually hides the password only, so you still have the form:
  http://username@domain.ext/path/
  If you use username:password, the password goes away when the URL is parsed and stored and used for future hits to the same username/domain pair (for that session).
  --
  Evan
  
  --
  "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Actually a bug fix for the IE spoofing problem by joncarwash · 2004-01-28 04:00 · Score: 5, Insightful

According to the Microsoft KB article itself, this is actually a fix for the IE spoofing problem reported in late 2003:

A malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com: http://www.wingtiptoys.com@example.com

Despite the negative side-effect, this update is actually a fix for a large security issue in IE. Phishing has become a big problem recently, especially since Microsoft acknowledged the bug in IE. Now if users actually run the update, and then check to see the actual address to which they are giving information, phishing may not be as big of a problem.

--
A computer is a valuable tool, so use it and stop whining.
Of Course... by alexpage · 2004-01-28 04:01 · Score: 4, Insightful

Because breaking standards compliance is a much better solution than fixing your fucking software in the first place!

There are several browsers which implement this feature without it being a security hole or risk. This is yet more evidence of Microsoft's inadequate attempts to provide a decent product, and yet more reason to advocate for unbundling IE - what incentive to M$ have to create a decent browser if their POS is installed on most desktops by default?

Then again, it's more reason for people to switch away to a proper web browser, so I guess it's not all bad news...
1. Re:Of Course... by drnlm · 2004-01-28 04:16 · Score: 5, Informative
  
  To quote the RFC:
  An HTTP URL takes the form:
  http://<host>:<port>/<path>? <searchpart>
  where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed.
  The allowing of username, password in http urls is a convention, but is certainly not the standard. If Microsoft does this, they'll actually be able to claim that IE is more standards-compliant than other browsers that allow the syntax.
  Whether allowing this syntax is a good or bad idea is a completely different debate (and slashdot is arguably the wrong forum to discuss it :) ).
2. Re:Of Course... by EvilJohn · 2004-01-28 05:08 · Score: 3, Informative
  
  and to Continue Quoting the RFC:
  3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data:
  
  //<user>:<password>@<host>:<port>/<url-path>
  ...and so on. The RFC seems to allow indicate this indeed is a valid URL contruction.
  
  --
  
  Less Talk, More Beer.
3. Re:Of Course... by gbjbaanb · 2004-01-28 05:27 · Score: 2, Informative
  
  its not terribly clear, but HTTP is not part of the 'Common Internet Scheme'. Look at section 3.3 where it gives the scheme for HTTP fully.
  
  The only ones that do make use of user:passwd are ftp and telnet.
darn. by pb · 2004-01-28 04:02 · Score: 4, Interesting

...note that slashdot doesn't allow them either, and for similar reasons. :)

http://goatse.cx%01%00@microsoft.com/ <-- I wonder why?

--
pb Reply or e-mail; don't vaguely moderate.
1. Re:darn. by Imperator · 2004-01-28 04:14 · Score: 2, Funny
  
  Actually this bug works in the opposite order--the first string is the one that's displayed. Then again, maybe your meant that: after all, it's not inconceivable that people would be more willing to give their credit card number over to the goatse guy than to Microsoft...
  
  --
  
  Gates' Law: Every 18 months, the speed of software halves.
2. Re:darn. by pb · 2004-01-28 04:17 · Score: 3, Funny
  
  Well, you know, the difference between Bill Gates and the goatse.cx guy... one is a giant asshole, well-known and feared by many, and the other one is just a regular guy with a personal website for himself...
  
  --
  pb Reply or e-mail; don't vaguely moderate.
What a crap way around fixing the security hole by a.koepke · 2004-01-28 04:02 · Score: 4, Interesting

The reason they are doing this is due to the security hole that was found in IE recently.

Instead of fixing the bug that is causing they security hole they remove the feature. How stupid and dumb is that? It is more-or-less saying, "We have got no idea how to program and cannt make enough sense of our own code to fix a security issue."

--

(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Re:first post by DjReagan · 2004-01-28 04:09 · Score: 5, Insightful

And you think its a reasonable work-around for an end user to be editing registry entries in order to get functionality that is specified in the RFCs?

--
"When I grow up, I want to be a weirdo"
ROFL by Imperator · 2004-01-28 04:12 · Score: 4, Insightful

This is hilarious. There's a bug in IE that's being exploited to steal credit card information. MS evidently hasn't figured out how to fix it so they'll remove support for a whole feature of HTTP.

I'm starting to see a pattern here. IE has standards-compliance issues and MS doesn't seem to be making any moves to increase standards support or support additional standards. The IE rendering engine hasn't really changed in years now and there aren't any plans on the horizon either. A bug that should be simple to fix hasn't been fixed in weeks (months?) and before they release a fix, they're releasing a workaround to one of the (several) problems that the bug is causing.

My conclusion? The IE code base is a mess. Like Netscape 4, it's grown too fast and with too little control from competent engineers. Forget things like proper CSS2 support: the IE team can't even wrestle the code to fix a simple bug. I wouldn't be surprised if MS has for some time now been in the process of rewriting IE (or substantial parts of it) from scratch. After all, it worked for the Mozilla Project.

--

Gates' Law: Every 18 months, the speed of software halves.
1. Re:ROFL by imr · 2004-01-28 05:54 · Score: 2, Insightful
  
  I think the situation is even worse than that:
  they tied the browser to the os and now they cant fix the browser without breaking everything that is tied to it. And that means all software, not only redmond's, that is based upon those components.
  Therefore, they can't apply one patch without tons of tests and that means time. So for a quick fix, they can't do anything but nerf the feature.
  But don't worry, with .net and longhorn, things will get integrated even thighter into the os. Welcome to .netmare.
  
  Meanwhile, having source code available and system and apps clearly separated under linux, it's just a matter of recompiling, fixing the eventual bug in the third party apps, and then the users just have to:
  urpmi
  apt get
  yum
  emerge
  download the bunch of tgz
  whatever their preference is, and everithing is upgraded at once.
  
  Which reminds me of this work of this guy from cambridge who kinda proved that free software and proprietary's are equally secure bug wise, because after a certain amount of bugs, it takes the same time to find the next one. I bet he didnt include the bug fixing time in his equation. If you find the next bug at the same time but cant fix it for one month or are obliged to kill the features, because you can introduce new bugs outside your scope, I wouldnt say they are equally secure bug fixing wise..
More sensible solution by Ianoo · 2004-01-28 04:32 · Score: 3, Insightful

A far more sensible solution that I would propose is to do the following:

When a URL such as http://user:pass@www.domain/ is entered, display http://www.domain/ in the Address Bar and put "Logged in as user" in the status bar. This work just as well with https URLs, and would also give people a better sense of security since their passwords wouldn't be displayed in the address bar when viewing pages on an authenticated site.

It makes me wonder how much they are paying people to come up with solutions which involve breaking standards in the name of "security" when I can come up with a better idea in under 30 seconds...
1. Re:More sensible solution by Phaid · 2004-01-28 05:05 · Score: 3, Insightful
  
  Agreed, but as Windows is generally targeted at people who don't do things like read status bar text, I'd go one further and, in addition to your solution, actually have a popup like...
  
  "Security Warning"
  
  "You are about to log in to site www.haxorheaven.com, with the following credentials:
  
  username: microsoft.com
  password: %blahfafafofo.
  
  Click "OK" to proceed, "Cancel" to return to the previous page.
  
  [OK] [Cancel]"
  This would make it Really Obvious when someone is trying to misdirect users.
Re:An RFC violation or just an interface change? by gbjbaanb · 2004-01-28 04:57 · Score: 2, Interesting

I'm not sure that's correct. The browser relies on the inet dlls to make connections - and they will be the bits that are changed. (ie. the edit field in the browser will not parse the text, it'll pass it on to the comms subsystem).

If MS alters the inet dlls then, all http communications will be affected by the change, and so the server will never see any packets even if you connect via scripts. (which is a good thing, you don't want a vbs script to auto-open hackers.com@www.ebay.com)

I think its only a matter of time before the other browsers fix their systems to work in the same way - the feature is not standards compliant, so .. best get rid of it now (and not get hit with a similar exploit).
Re:Hell of a work around by __past__ · 2004-01-28 05:21 · Score: 2, Interesting

There Is No Bug. URLs with username/password parts work as they should in IE - but this, technically proper, behaviour is exploitable. It is not a technical problem, more like a way of social engineering - uneducated users or users that don't pay much attention to the URL may interpret it differently that the Browser does. So it is pretty much impossible to "fix it properly".
This "solution" still sucks, there are good reasons to use such URLs, and for many of them, you explicitly do not want a popup. The 1und1 "@-domains" are not one of those however, these idiots deserve to suffer (and the morons who paid for this... well, a fool and his money...)

--
Programming can be fun again. Film at 11.
Re:Hell of a work around by DukeyToo · 2004-01-28 06:10 · Score: 2, Insightful

Of course it is possible to fix it properly. All other browsers do it just fine.

And of course it is a bug. It is a bug, because it is not the behavior that the programmers expected when they wrote the browser software.

--
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
Re:Hell of a work around by ShaggyZet · 2004-01-28 06:14 · Score: 2, Informative

Yes, there is a bug. If the phisher puts a special character before the @ sign, then the url bar in the browser doesn't display the true destination. So educated or not, the user has no idea that they aren't really talking to citibank, fdic, etc.
Re:first post by Gaijin42 · 2004-01-28 06:38 · Score: 2, Interesting

No, you are incorrect.

the URL standad allows for a username and password, but it is not required. However, the HTTP and HTTPS section of the URL standard specifically disallow the use of a username and password

URL RFC

read section 3 : (some of the text below is garbled, because I dont feel like escaping out all the > and < in the text below, however that does not change the important bits.)

3.3 HTTP
The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.

An HTTP URL takes the form:

http://>:/?

where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.

Within the and components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.