Internet Explorer username:password@ behavior to change

[Shovel]

I just stumbled across this:

http://support.microsoft.com/?kbid=834489

It appears that MS are going to remove a large chunk of Internet Explorers userass@ behavior in an effort to combat spoof sites and the malicious code risks they pose.

SUMMARY

Microsoft plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://usernameassword@server/resource.ext
This article is intended to give you advance notice of this change in Internet Explorer's default behavior. If you include user information in HTTP or HTTPS URLs, Microsoft recommends that you explore the workarounds that are described in this article before you install this software update. Microsoft will post more information in this article when the software update becomes available.

MORE INFORMATION
Background information
Internet Explorer versions 3.0 and later support the following syntax for HTTP or HTTPS URLs:

http(s)://usernameassword@server/resource.ext
You can use this URL syntax to automatically send user information to a Web site that supports the basic authentication method.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

200351 INFO: URL syntax for authentication without dialog prompt
A malicious user could also use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com:

http://www.wingtiptoys.com@example.com

At the base of the page it does state that a registry switch will allow you to control the new behavior if you want to change it back.

 

[Scooba da Bass]

Yay for MS, hacking out features that are proscribed by internet standards agreements (RFC 2369) because you won't fix your stupid software is neato.

 

[Jonty]

I think that's a tad harsh, Scooba. And besides, Mozilla and various other non-IE browsers are also vulnerable to spoofed URIs too, although admittedly IE is perhaps worse affected. And besides, you will be able to reverse any changes, as Shovel highlights.

Kind Regards

 

[Ch3tan]

Why dont they all do what Opera have managed to do, and give you a warning message.

 

[Jonty]

Why dont they all do what Opera have managed to do, and give you a warning message.

Because that's just way too simple hehe.

Kind Regards

Jonty

P.S. Have you tried Opera 7.50 Beta? Some quite nice changes.

 

[Scooba da Bass]

I think that's a tad harsh, Scooba. And besides, Mozilla and various other non-IE browsers are also vulnerable to spoofed URIs too, although admittedly IE is perhaps worse affected. And besides, you will be able to reverse any changes, as Shovel highlights.

The difference is that in Mozilla, Opera et al you can't hide the rest of the URL as you can in IE. The sooner that 'alternative' browsers catch up, the sooner the internet is a better place.

Why dont they all do what Opera have managed to do, and give you a warning message.

IE users are unable to read, it's the only possible reason that spyware and various other Active X exploits are so prevalent. Alternatively because of x years of horrible code it's easier just to kludge a solution than try to fix it.

 

[Shovel]

It does indeed strike me that it would sure be much easier to ammend the problems in the IE character handling that results in the fake URL being visually hidden the better. If anything, swapping the behavior to only show what comes after must be /better/ surely?

Then 2) Add in translation from HTML character codes to actual characters in the URL.

Presto, no more spoofing.


-- Additionally, while it's nice of them to actually leave it customisable, that doesn't really help a lot of people. Yeah, sure, people on Freddyshouse will tend to be happier to hack around in the reg, but not all. And "average users" whose Internet behavior randomly goes tits up wont have the foggiest how to sort it out.

I'm personally expected that we'll have to wait until the patch actually arrives to see what damage it actually does, mind.

 

[MrBlack]

This one is utter genius, though.

Not only do MS decide to break the RFC in a heinous manner to protect the innocent, they give you these two fantastic workarounds:

"If users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:

- Do not include user information in HTTP or HTTPS URLs.

- Instruct users not to include their user information when they type HTTP or HTTPS URLs"

Genius, really. Don't do it, and tell users not to do it. Ace.