Bugtraq mailing list archives
Re: MS to stop allowing passwords in URLs
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 06 Feb 2004 17:01:20 +1300
"Dave Warren" <dave.warren () devilsplayground net> wrote: <<big snip>>
It's probably too late, but rather then removing user:password support altogether, maybe Microsoft could replace it with a dialog that informs the user they are about to visit "session-arhuz.ru" with the username "www.herbank.com", and an appropriate warning about not revealing sensitive information, blahblahblah?
Yeah, just like the "The doument you are opening contains macros or customizations. Some macros may contain viruses that could harm your computer. [...]" warnings prevented Word macro viruses... A user naïve enough to click on such a link does, in some important sense, _want_ to visit that page. Your suggested warning is just another thing that such users see as "getting in the way of doing what I want to do". Therefore, if implemented it would become more part of the problem than the solution (as users will become ever more familiar with ignoring "warnings" and clicking through them). If you understand users, you will know that in helping them to not shoot themselves in the feet, the only useful appraoch is to remove everything capable of firing the bullets (and quite a few things beside!)... On the Word macro virus front, things got notably better _NOT_ when MS implemented the above warning (that the users could blithely ignore and even _disable_ right there on the warning dialog -- what a travesty of mis-design that was!) but when it released a version of Word that defaulted to not running macros unless they were signed with an acceptable (as configured by the user/admin) key (there are legion flaws in the design of this feature, but it was strong enough to significantly impact the Word macro virus problem). In IE, removing support for this mis-feature (read RFC 2616) will have a much greater impact than trying to "direct" users who don't want to be directed with "warnings" and other stuff that "gets in their way". -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- MS to stop allowing passwords in URLs McAllister, Andrew (Feb 02)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- RE: MS to stop allowing passwords in URLs Fergus Brooks (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)
- Message not available
- Re: MS to stop allowing passwords in URLs Paul Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Richard M. Smith (Feb 03)
- <Possible follow-ups>
- RE: MS to stop allowing passwords in URLs Francis Favorini (Feb 03)