lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Feb 2004 21:31:19 -0800
From: Sam Schinke <sschinke@...ealbox.com>
To: bugtraq@...urityfocus.com
Subject: Re: MS to stop allowing passwords in URLs


Hello Andrew,

Wednesday, January 28, 2004, 2:54:00 PM, you wrote:

MA> I just read that Microsoft will stop allowing IDs and passwords to be
MA> embedded in URLs used by Internet Explorer. So you will no longer be
MA> able to use a URL like https://user:password@....somehost.com/

MA> See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

MA> Their reasoning is that this will mitigate status bar spoofing as has
MA> recently been discussed here and in other forums.

That  reasoning  is also in the KB article and the bug in this portion
of IE is obliquely acknowledged.

MA>  The article even goes
MA> so far as to admit that recent versions of IE show only the URL before
MA> the @ sign while older versions do not.

The  article  states  the  opposite.  It  states that earlier versions
displayed  the entire URL (including authentication parts) whereas IE6
conceals  the  authentication  portion  and displays starting with the
hostname.  This is, of course, excluding cases that use known flaws in
the URL parsing and is also unique to windows 2003.

MA> Apparently MS has decided that this RFC URL syntax is simply too
MA> dangerous to allow in their products. 

If you read the HTTP 1.1 specs closely (RFC 2616) you will find that a
HTTP URL does NOT include the username:password in the syntax.

RFC  1738  and  RFC 2396 specify the format of "generic" URL's but RFC
1738 specifically refers to RFC 2616 for the format of HTTP URL's.

RFC's  1738  and RFC 2396 both discourage the use of username:password
information in URLs as well.

That  said, I liked the ability to source-specify login information as
well.  I  think we may all be just a little shocked to see MS removing
functionality  in  the  interests  of  security.  I  wonder if this is
because they were unable to fix the %00 spoofing or had too many other
issues with this syntax.

Another  plus  is  that  this  change may see an upsurge in the use of
Mozilla, which still supports this syntax.

-- 
Best regards,
 Sam                            mailto:sschinke@...ealbox.com



Powered by blists - more mailing lists