lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4020D3B9.18819.D1B1D6@localhost>
Date: Wed, 04 Feb 2004 11:12:57 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: MS to stop allowing passwords in URLs


"McAllister, Andrew" <McAllisterA@...ystem.edu> wrote:

> I just read that Microsoft will stop allowing IDs and passwords to be
> embedded in URLs used by Internet Explorer. So you will no longer be
> able to use a URL like https://user:password@....somehost.com/
> 
> See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

And a good thing too...

You see, rather sadly, MS failed to note in that KB article that this 
change _finally_ makes IE's HTTP URL-handling more or less standards-
conforming.  How many years is that now since IE 3.0 introduced this 
non-standard behaviour?

> Their reasoning is that this will mitigate status bar spoofing as has
> recently been discussed here and in other forums. The article even goes
> so far as to admit that recent versions of IE show only the URL before
> the @ sign while older versions do not.
> 
> Apparently MS has decided that this RFC URL syntax is simply too
> dangerous to allow in their products. 

It seems you misread the KB article and related RFCs.  Admittedly the 
KB article seems to have been written be portray MS as the victim of 
harrassment by those nasty scammers, but in reality -- whatever MS' 
actual or professed reasons for making these changes -- MS has removed 
a _mis-feature_ that was not compliant with the agreed industry 
standards that IE is supposed to measure up against.

Although that KB article refers the reader to RFC 2616 for further 
explanation, it also rather misleadingly refers to RFC 1738 and 2396.  
As RFC 2616 specifically covers the HTTP URL syntax in its section 
3.2.2, the others are irrelevant to the issue of "What is the proper 
syntax of an HTTP URL?".  RFC 2616 clearly _does not allow_ the 
"userid" component of the generic URI syntax _which is OPTIONAL _AND_ 
scheme dependent_.  Go on, read all three RFCs and see for yourself...  

> Their suggested workarounds include among others:
>   1) Having users click the "Remember my password" checkbox in IE.
>   2) Using cookies.
> 
> I personally use this syntax in only one production application, BBTray
> - a windows tray applet that watches my bigbrother monitoring server.

Then you should stop because it is not standards compliant.  Do you 
really want to be part of the problem?  (And a problem, that no matter it
is not publicy admitting it is largely responsible for, MS itself is now
trying to distance itself from?)

> Click the applet and it opens a browser window with the
> id:passowrd@...ver.com syntax. The ID and password is specific to our
> bigbrother application, my workstation sits behind two firewalls and I
> am the only admin on the box. So, I consider this use to be legit and
> relatively safe given the convenience it provides.

You're welcome to your opinion, but as a few moments reading the RFCs,
rather than the documention of the devil-spawn of all browsers would have
shown you way back when, it is a poor opinion.

> I certainly don't consider the "remember my password" functionality nor
> stored cookies any more or less safe than this syntax.

Indeed, but at least they cooform to the standards that are supposed to
make the WWW work and interoperate between dozens upon dozens of otherwise
largely incompatible systems.

> Anyone have any comments regarding legitimate uses of this syntax and

No, because there is no legitimate use of that syntax.  If MS had 
implemented a scheme of its own -- say, "scamsRus" -- and allowed the
userid component of the generic URI as a valid part of that scheme, then
you would certainly be entitled to use a URL of the form:

  scamsRus://user:password@....somehost.com/

but HTTP is defined without such support so you aren't entitled to use it as MS should not have supported it.  

> Microsoft removing it from their browser? (and presumably the OS since
> the browser IS the OS).

This is a good thing.

The inconvenience to your relatively few users of their loss of this
non-standard "feature" is worth the reduction in credible-seeming scams
the removal of the feature will see in ensuing years.

And perhaps MS removing this will pressure other browser developers to 
follow suit -- after all, who would want their product to be known as 
"the browser lagging IE in security features"?   8-)


Regards,

Nick FitzGerald



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ