W3C home > Mailing lists > Public > uri@w3.org > January 2004

[mikehow@microsoft.com: RE: Microsoft to Strike IE URL Passwords]

From: Mark Baker <distobj@acm.org>
Date: Fri, 30 Jan 2004 13:52:25 -0500
To: uri@w3.org
Message-ID: <20040130135225.B31315@www.markbaker.ca>

FYI.

Mark.

----- Forwarded message from Michael Howard <mikehow@microsoft.com> -----

From: "Michael Howard" <mikehow@microsoft.com>
To: "Dave Kristol" <dmk@acm.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Subject: RE: Microsoft to Strike IE URL Passwords
Date: Fri, 30 Jan 2004 08:54:36 -0800


Only the form: "http(s)://username:password@server/resource.ext"  is
being removed; basic auth is untouched.


Cheers, Michael

[Writing Secure Code 2nd Edition]
http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org]
On Behalf Of Dave Kristol
Sent: Thursday, January 29, 2004 11:38 AM
To: HTTP Working Group
Subject: Microsoft to Strike IE URL Passwords





<http://www.internetnews.com/dev-news/article.php/3305741>

If I understand this article correctly, it sounds like MS IE will remove
support for Basic Authentication.  While we all agree that cleartext
passwords are evil, this sounds to me like it will create a major
compatibility problem at sites that use Basic.  And note that it covers
Basic over SSL, too, where the passwords would *not* be cleartext.

Dave Kristol

----- End forwarded message -----

-- 
Mark Baker.   Ottawa, Ontario, CANADA.        http://www.markbaker.ca
Received on Friday, 30 January 2004 13:53:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:07 UTC