W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

Re: Microsoft to Strike IE URL Passwords

From: <wizard@newsreports.org>
Date: Fri, 06 Feb 2004 17:27:27 -0500
Message-ID: <402414CF.E8817E6@newsreports.org>
To: ietf-http-wg-request@w3.org
Cc: ietf-http-wg@w3.org

Dave,

The KB article that was published seems to deal with
username:password and %01 as two separate "problems"
that will be addressed by a single patch.  I very
much agree that %01 is a bug and should be fixed.

username:password is a client interface problem
that should be addressed by greater/more useful
notification to the user that this is happening.

I am proposing as an alternative:

1/ the filled in dialog box as described earlier

2/ username:password@www.example.com be rendered
in the address bar as www.example.com, since it
is the prepended username:password in the form
of a legitimate host name that is confusing
users.

3/ links just not be clickable in mail clients,
or at least mail clients should default to
operating in offline mode after retrieving
messages.  this also prevents such things
as image bugs that indicate a valid email
address.

I also would note that even if username:password
is eliminated, the goal of misdirecting to a website
other than expected by the user can be achieved
easily using a javascript handler for an onclick
event which redirects to a website by ip address.

Please note that:

1/ most users do not know how to relate an ip address
to a host name, nor do they care.

2/ the onclick does not even have to appear in the
href as it can be set by javascript itself

3/ the javascript handler can further cause the
browser window to open without an address bar
at all

So, eliminating username:password will gain 
nothing in terms of eliminating misdirection
of naive users.  It would take miscreants very
little time to figure out another way to do it.

It would actually be better to have a setting
in IE that offers as an install default:

"disallow ip address as hostname"

And yes, I know that the later versions of
Outlook Express operate by default in the
restricted security zone.

My hope is that someone from Microsoft reading
this list will take note of these suggestions.

Best Regards,

Bob



David Morris wrote:
> 
> On Thu, 5 Feb 2004 wizard@newsreports.org wrote:
> 
> >
> > It is the *silent* bypassing of this dialog
> > through the *interpretation* of username@password
> > that is causing it to be a difficulty in the
> > case at hand. Popping up a dialog box is much
> > less draconian than ignoring username@password
> > altogether.
> >
> 
> Actually, the MS fix isn't for the silent bypass per se, it
> is for the fact that MSIE hides the content of the URL after the %01
> character.
> 
> In my mind, that makes it an invalid URL which should be rejected. Your
> suggestion for popping a dialog seems like a good optional security
> enhancement. Add a checkbox to not show the dialog again for the same
> server....
> 
> Dave Morris

-- 


------------------------------------------------------------------
FREE DOWNLOADS

iis bandwidth protection -- http://coldlink.com/

iis password protection -- http://wanderware.com/

------------------------------------------------------------------




..
Received on Friday, 6 February 2004 17:23:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:27 GMT