Re: Apparently the practice was prevalent

[Scott Taylor <security () 303underground com>]

Wouldn't it make sense to accept user@pass, but NOT DISPLAY IT on the
address bar? so even if someone clicks on a shady link, they don't see
http://www.visa.com () crooks com, they only see http://crooks.com on their
address bar? And with all those miserable encoded characters translated
back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
I guess.

On Sun, 2004-02-08 at 12:36, Luke Norman wrote:
> I'm afraid I disagree. Surely its better to disable by default, but 
> leave it so that it can be turned on if necessary. People argue that 
> windows needs to be shipped with services turned off, but not removed 
> completely - a virus could turn these services on, but that isn't 
> sufficient cause for removing them. It's a user preference, and if I 
> want to be able to enter urls in user:pass@host format, then I should be 
> given the option to do so
>
> Luke
--
Scott Taylor - <security () 303underground com> 

BOFH Excuse #429:

Temporal anomaly

    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html