Re: MS to stop allowing passwords in URLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

McAllister, Andrew wrote: 
I just read that Microsoft will stop allowing IDs and passwords to be
embedded in URLs used by Internet Explorer. So you will no longer be
able to use a URL like https://user:password@www.somehost.com/

See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

Their reasoning is that this will mitigate status bar spoofing as has
recently been discussed here and in other forums. The article even goes
so far as to admit that recent versions of IE show only the URL before
the @ sign while older versions do not.

Apparently MS has decided that this RFC URL syntax is simply too
dangerous to allow in their products. 

Their suggested workarounds include among others:
  1) Having users click the "Remember my password" checkbox in IE.
  2) Using cookies.

I personally use this syntax in only one production application, BBTray
- a windows tray applet that watches my bigbrother monitoring server.
Click the applet and it opens a browser window with the
id:passowrd@server.com syntax. The ID and password is specific to our
bigbrother application, my workstation sits behind two firewalls and I
am the only admin on the box. So, I consider this use to be legit and
relatively safe given the convenience it provides.

I certainly don't consider the "remember my password" functionality nor
stored cookies any more or less safe than this syntax.

Anyone have any comments regarding legitimate uses of this syntax and
Microsoft removing it from their browser? (and presumably the OS since
the browser IS the OS).

Andrew McAllister
University of Missouri


Despite what MS's notice says, presumably the primary motive for this was to avoid the URL spoofing detailed here (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp). In fact, that webpage specifically states that it is to fix ``three newly-discovered vulnerabilities'' (``newly=discovered'' apparently being a relative term), including ``a misrepresentation of the URL in the address bar of an Internet Explorer window''.

So the security reasons they cite on the page you link to probably aren't that they consider that syntax to be insecure relative to cookies or ``Remember My Password'', but that the best way to avoid URL spoofing they could come up with (after, apparently, months of effort) was to eliminate the feature alltogether.

I can think of another great way to fix the vulnerabilities in Windows. It's called fdisk.

Hope that helps!
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux