lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Feb 2004 00:06:44 -0500 (EST)
From: Dave McCormick <mccormic@...u.net>
To: "McAllister, Andrew" <McAllisterA@...ystem.edu>
Cc: bugtraq@...urityfocus.com
Subject: Re: MS to stop allowing passwords in URLs


Andrew,

You said:
<I just read that Microsoft will stop allowing IDs and passwords to be
<embedded in URLs used by Internet Explorer. So you will no longer be
<able to use a URL like https://user:password@....somehost.com/

I wanted to point out the option to make a reg key change that will
maintain the user@ functionality instead of utilizing the new default
behavior that occurs by applying the patch.

<snipped from MS article>
How to disable the new default behavior for handling user information in
HTTP or HTTPS URLs To disable the new default behavior in Windows Explorer
and Internet Explorer, create iexplore.exe and explorer.exe DWORD values
in one of the following registry keys and set their value data to 0:

For all users:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

For the current user only:

HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


Overall, I think that MS is doing the right thing with this.  I cannot
count how many html email's I've received that are supposedly from PayPal,
or Visa or <insert your favorite finacial organization here> wherein a
kiddie wannabe with minimal english skills asks "please verafy your
accoont information".  That information is piped to a cgi on a hacked box
somewhere that snarfs the info then redirects you to the real site that is
supposedly asking for the info.

*yawn*

I guarantee that there are people out there (although probably not on this
list) that have swallowed the bait and forwarded their credit card #, SSN
#, all their pin numbers to every bank account they own as well as their
grandmothers bra size because they were presented with an official looking
html email that asked for the info.  Why else do so many of these types of
con jobs flood the net?

This is getting to be as bad as the Nigerian email scam. You know the one
that starts out, "Dear Sir, <insert impressive title of some 3rd world
country here> left me 10 million dollars and I need your help."

Overall I think it's the right thing to do and I'm glad that MS is doing
it.

just my .02 so please, flames > /dev/null

Regards,

Dave McCormick
dave@...d.net_nospam.com
mccormic@...u.net_nospam.com

"Kool-Aid anyone?" - Bill Gates



Powered by blists - more mailing lists