W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

Re: Microsoft to Strike IE URL Passwords

From: <wizard@newsreports.org>
Date: Fri, 30 Jan 2004 16:34:41 -0500
Message-ID: <401ACDF1.F22E11AC@newsreports.org>
To: ietf-http-wg-request@w3.org, HTTP Working Group <ietf-http-wg@w3.org>, mikehow@microsoft.com
Cc: Dave Kristol <dmk@acm.org>


Is this not really a rendering problem?

This remark includes the "%01" problem,
and user perception that the leading
part before the "@" is the web site.

The first is a problem internal to the
browser, and should be fixed.

The second is a rendering problem, in
that many users do not know the difference.
Therefore, it is more useful to present
the url to the user without the credentials

If the embedded credentials are permitted
in a valid url, and that url is embedded
as, for example, the href of an <a> tag,
and the browser does not retrieve the
referenced resource, then the browser 
is broken.

Removing this valid behaviour will, in some
cases, break many months of work. I am
involved in one such case.


Michael Howard wrote:
> Only the form: "http(s)://username:password@server/resource.ext"  is
> being removed; basic auth is untouched.
> Cheers, Michael
> [Writing Secure Code 2nd Edition]
> http://www.microsoft.com/mspress/books/5957.asp
> [Protect Your PC] http://www.microsoft.com/protect
> [Blog] http://blogs.msdn.com/michael_howard
> -----Original Message-----
> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
> On Behalf Of Dave Kristol
> Sent: Thursday, January 29, 2004 11:38 AM
> To: HTTP Working Group
> Subject: Microsoft to Strike IE URL Passwords
> <http://www.internetnews.com/dev-news/article.php/3305741>
> If I understand this article correctly, it sounds like MS IE will remove
> support for Basic Authentication.  While we all agree that cleartext
> passwords are evil, this sounds to me like it will create a major
> compatibility problem at sites that use Basic.  And note that it covers
> Basic over SSL, too, where the passwords would *not* be cleartext.
> Dave Kristol



iis bandwidth protection -- http://coldlink.com/

iis password protection -- http://wanderware.com/


Received on Friday, 30 January 2004 16:31:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:37 UTC