lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 03 Feb 2004 08:10:33 -0500
From: Vinny Abello <vinny@...lurian.com>
To: "McAllister, Andrew" <McAllisterA@...ystem.edu>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: MS to stop allowing passwords in URLs


Interestingly, I've already found that this patch doesn't fix this problem 
when using IE as an object in VB6. You can still programmatically call an 
instance of IE as a browser object and use that format to login to a web site.

At 05:54 PM 1/28/2004, McAllister, Andrew wrote:
>I just read that Microsoft will stop allowing IDs and passwords to be
>embedded in URLs used by Internet Explorer. So you will no longer be
>able to use a URL like https://user:password@....somehost.com/
>
>See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
>
>Their reasoning is that this will mitigate status bar spoofing as has
>recently been discussed here and in other forums. The article even goes
>so far as to admit that recent versions of IE show only the URL before
>the @ sign while older versions do not.
>
>Apparently MS has decided that this RFC URL syntax is simply too
>dangerous to allow in their products.
>
>Their suggested workarounds include among others:
>   1) Having users click the "Remember my password" checkbox in IE.
>   2) Using cookies.
>
>I personally use this syntax in only one production application, BBTray
>- a windows tray applet that watches my bigbrother monitoring server.
>Click the applet and it opens a browser window with the
>id:passowrd@...ver.com syntax. The ID and password is specific to our
>bigbrother application, my workstation sits behind two firewalls and I
>am the only admin on the box. So, I consider this use to be legit and
>relatively safe given the convenience it provides.
>
>I certainly don't consider the "remember my password" functionality nor
>stored cookies any more or less safe than this syntax.
>
>Anyone have any comments regarding legitimate uses of this syntax and
>Microsoft removing it from their browser? (and presumably the OS since
>the browser IS the OS).
>
>Andrew McAllister
>University of Missouri


Vinny Abello
Network Engineer
Server Management
vinny@...lurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and 
those that don't.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ