- From: <wizard@newsreports.org>
- Date: Fri, 06 Feb 2004 17:27:27 -0500
- To: ietf-http-wg-request@w3.org
- Cc: ietf-http-wg@w3.org
Dave, The KB article that was published seems to deal with username:password and %01 as two separate "problems" that will be addressed by a single patch. I very much agree that %01 is a bug and should be fixed. username:password is a client interface problem that should be addressed by greater/more useful notification to the user that this is happening. I am proposing as an alternative: 1/ the filled in dialog box as described earlier 2/ username:password@www.example.com be rendered in the address bar as www.example.com, since it is the prepended username:password in the form of a legitimate host name that is confusing users. 3/ links just not be clickable in mail clients, or at least mail clients should default to operating in offline mode after retrieving messages. this also prevents such things as image bugs that indicate a valid email address. I also would note that even if username:password is eliminated, the goal of misdirecting to a website other than expected by the user can be achieved easily using a javascript handler for an onclick event which redirects to a website by ip address. Please note that: 1/ most users do not know how to relate an ip address to a host name, nor do they care. 2/ the onclick does not even have to appear in the href as it can be set by javascript itself 3/ the javascript handler can further cause the browser window to open without an address bar at all So, eliminating username:password will gain nothing in terms of eliminating misdirection of naive users. It would take miscreants very little time to figure out another way to do it. It would actually be better to have a setting in IE that offers as an install default: "disallow ip address as hostname" And yes, I know that the later versions of Outlook Express operate by default in the restricted security zone. My hope is that someone from Microsoft reading this list will take note of these suggestions. Best Regards, Bob David Morris wrote: > > On Thu, 5 Feb 2004 wizard@newsreports.org wrote: > > > > > It is the *silent* bypassing of this dialog > > through the *interpretation* of username@password > > that is causing it to be a difficulty in the > > case at hand. Popping up a dialog box is much > > less draconian than ignoring username@password > > altogether. > > > > Actually, the MS fix isn't for the silent bypass per se, it > is for the fact that MSIE hides the content of the URL after the %01 > character. > > In my mind, that makes it an invalid URL which should be rejected. Your > suggestion for popping a dialog seems like a good optional security > enhancement. Add a checkbox to not show the dialog again for the same > server.... > > Dave Morris -- ------------------------------------------------------------------ FREE DOWNLOADS iis bandwidth protection -- http://coldlink.com/ iis password protection -- http://wanderware.com/ ------------------------------------------------------------------ ..
Received on Friday, 6 February 2004 17:23:31 UTC