Bugtraq mailing list archives
Re: MS to stop allowing passwords in URLs
From: Dave McCormick <mccormic () xecu net>
Date: Tue, 3 Feb 2004 00:06:44 -0500 (EST)
Andrew, You said: <I just read that Microsoft will stop allowing IDs and passwords to be <embedded in URLs used by Internet Explorer. So you will no longer be <able to use a URL like https://user:password () www somehost com/ I wanted to point out the option to make a reg key change that will maintain the user@ functionality instead of utilizing the new default behavior that occurs by applying the patch. <snipped from MS article> How to disable the new default behavior for handling user information in HTTP or HTTPS URLs To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0: For all users: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE For the current user only: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Overall, I think that MS is doing the right thing with this. I cannot count how many html email's I've received that are supposedly from PayPal, or Visa or <insert your favorite finacial organization here> wherein a kiddie wannabe with minimal english skills asks "please verafy your accoont information". That information is piped to a cgi on a hacked box somewhere that snarfs the info then redirects you to the real site that is supposedly asking for the info. *yawn* I guarantee that there are people out there (although probably not on this list) that have swallowed the bait and forwarded their credit card #, SSN #, all their pin numbers to every bank account they own as well as their grandmothers bra size because they were presented with an official looking html email that asked for the info. Why else do so many of these types of con jobs flood the net? This is getting to be as bad as the Nigerian email scam. You know the one that starts out, "Dear Sir, <insert impressive title of some 3rd world country here> left me 10 million dollars and I need your help." Overall I think it's the right thing to do and I'm glad that MS is doing it. just my .02 so please, flames > /dev/null Regards, Dave McCormick dave@fred.net_nospam.com mccormic@xecu.net_nospam.com "Kool-Aid anyone?" - Bill Gates
Current thread:
- RE: MS to stop allowing passwords in URLs, (continued)
- RE: MS to stop allowing passwords in URLs Joe Weisenberger (Feb 03)
- Re: MS to stop allowing passwords in URLs N407ER (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave Warren (Feb 03)
- Re: MS to stop allowing passwords in URLs David B Harris (Feb 03)
- Re: MS to stop allowing passwords in URLs Östlund (Feb 04)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 06)
- Message not available
- Re: MS to stop allowing passwords in URLs Vinny Abello (Feb 03)
- Re: MS to stop allowing passwords in URLs Ansgar -59cobalt- Wiechers (Feb 03)
- RE: MS to stop allowing passwords in URLs Andrew Harwood (Feb 03)
- Re: MS to stop allowing passwords in URLs 3APA3A (Feb 03)
- Re: MS to stop allowing passwords in URLs Dave McCormick (Feb 03)
- Re: MS to stop allowing passwords in URLs Nick FitzGerald (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 03)
- Message not available
- Re: MS to stop allowing passwords in URLs Paul Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Richard M. Smith (Feb 03)
- RE: MS to stop allowing passwords in URLs Francis Favorini (Feb 03)
- RE: MS to stop allowing passwords in URLs Thor Larholm (Feb 03)
- Re: MS to stop allowing passwords in URLs Sam Schinke (Feb 05)
- RE: MS to stop allowing passwords in URLs NESTING, DAVID M (SBCSI) (Feb 05)