| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Feb 2004 00:06:44 -0500 (EST) From: Dave McCormick <mccormic@...u.net> To: "McAllister, Andrew" <McAllisterA@...ystem.edu> Cc: bugtraq@...urityfocus.com Subject: Re: MS to stop allowing passwords in URLs Andrew, You said: <I just read that Microsoft will stop allowing IDs and passwords to be <embedded in URLs used by Internet Explorer. So you will no longer be <able to use a URL like https://user:password@....somehost.com/ I wanted to point out the option to make a reg key change that will maintain the user@ functionality instead of utilizing the new default behavior that occurs by applying the patch. <snipped from MS article> How to disable the new default behavior for handling user information in HTTP or HTTPS URLs To disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0: For all users: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE For the current user only: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Overall, I think that MS is doing the right thing with this. I cannot count how many html email's I've received that are supposedly from PayPal, or Visa or <insert your favorite finacial organization here> wherein a kiddie wannabe with minimal english skills asks "please verafy your accoont information". That information is piped to a cgi on a hacked box somewhere that snarfs the info then redirects you to the real site that is supposedly asking for the info. *yawn* I guarantee that there are people out there (although probably not on this list) that have swallowed the bait and forwarded their credit card #, SSN #, all their pin numbers to every bank account they own as well as their grandmothers bra size because they were presented with an official looking html email that asked for the info. Why else do so many of these types of con jobs flood the net? This is getting to be as bad as the Nigerian email scam. You know the one that starts out, "Dear Sir, <insert impressive title of some 3rd world country here> left me 10 million dollars and I need your help." Overall I think it's the right thing to do and I'm glad that MS is doing it. just my .02 so please, flames > /dev/null Regards, Dave McCormick dave@...d.net_nospam.com mccormic@...u.net_nospam.com "Kool-Aid anyone?" - Bill Gates
Powered by blists - more mailing lists