Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Remove Support For http(s) auth URLs

Posted by timothy on from the was-sonst dept.

damohasi writes "According to Microsoft Knowledge Base, MS "plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer". Whether this will break rfc 1738 or not, it might get webspace provider in trouble who offer @-domains like the German 1und1."

3 of 79 comments (clear)

  1. Actually a bug fix for the IE spoofing problem by joncarwash · · Score: 5, Insightful

    According to the Microsoft KB article itself, this is actually a fix for the IE spoofing problem reported in late 2003:

    A malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com: http://www.wingtiptoys.com@example.com

    Despite the negative side-effect, this update is actually a fix for a large security issue in IE. Phishing has become a big problem recently, especially since Microsoft acknowledged the bug in IE. Now if users actually run the update, and then check to see the actual address to which they are giving information, phishing may not be as big of a problem.

    --
    A computer is a valuable tool, so use it and stop whining.
  2. Re:first post by DjReagan · · Score: 5, Insightful

    And you think its a reasonable work-around for an end user to be editing registry entries in order to get functionality that is specified in the RFCs?

    --
    "When I grow up, I want to be a weirdo"
  3. Re:Of Course... by drnlm · · Score: 5, Informative
    To quote the RFC:

    An HTTP URL takes the form:
    http://<host>:<port>/<path>? <searchpart>
    where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed.

    The allowing of username, password in http urls is a convention, but is certainly not the standard. If Microsoft does this, they'll actually be able to claim that IE is more standards-compliant than other browsers that allow the syntax.

    Whether allowing this syntax is a good or bad idea is a completely different debate (and slashdot is arguably the wrong forum to discuss it :) ).