Re: Microsoft to Strike IE URL Passwords


The KB article that was published seems to deal with
username:password and %01 as two separate "problems"
that will be addressed by a single patch.  I very
much agree that %01 is a bug and should be fixed.

username:password is a client interface problem
that should be addressed by greater/more useful
notification to the user that this is happening.

I am proposing as an alternative:

1/ the filled in dialog box as described earlier

2/ be rendered
in the address bar as, since it
is the prepended username:password in the form
of a legitimate host name that is confusing

3/ links just not be clickable in mail clients,
or at least mail clients should default to
operating in offline mode after retrieving
messages.  this also prevents such things
as image bugs that indicate a valid email

I also would note that even if username:password
is eliminated, the goal of misdirecting to a website
other than expected by the user can be achieved
easily using a javascript handler for an onclick
event which redirects to a website by ip address.

Please note that:

1/ most users do not know how to relate an ip address
to a host name, nor do they care.

2/ the onclick does not even have to appear in the
href as it can be set by javascript itself

3/ the javascript handler can further cause the
browser window to open without an address bar
at all

So, eliminating username:password will gain 
nothing in terms of eliminating misdirection
of naive users.  It would take miscreants very
little time to figure out another way to do it.

It would actually be better to have a setting
in IE that offers as an install default:

"disallow ip address as hostname"

And yes, I know that the later versions of
Outlook Express operate by default in the
restricted security zone.

My hope is that someone from Microsoft reading
this list will take note of these suggestions.

Best Regards,


David Morris wrote:
> On Thu, 5 Feb 2004 wrote:
> >
> > It is the *silent* bypassing of this dialog
> > through the *interpretation* of username@password
> > that is causing it to be a difficulty in the
> > case at hand. Popping up a dialog box is much
> > less draconian than ignoring username@password
> > altogether.
> >
> Actually, the MS fix isn't for the silent bypass per se, it
> is for the fact that MSIE hides the content of the URL after the %01
> character.
> In my mind, that makes it an invalid URL which should be rejected. Your
> suggestion for popping a dialog seems like a good optional security
> enhancement. Add a checkbox to not show the dialog again for the same
> server....
> Dave Morris



iis bandwidth protection --

iis password protection --



Received on Friday, 6 February 2004 17:23:31 UTC