[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <237265190.20040208130153@comcast.net>
From: hggdh at comcast.net (hggdh)
Subject: Apparently the practice was prevalent
Hello Paul,
Sunday, February 8, 2004, 11:18:17 AM, you wrote:
PS> According to this story, some programmers have been up late "fixing" the
PS> inability to use @ in their urls. :-) Once company is even proposing
PS> reversing the change (by sending their users a registry update) so they can
PS> continue to use the feature. Makes you wonder how long it will be before a
PS> virus or worm reverses the registry key so it can use that "feature".
I will bite the hook.
I think we have gone off on a tangent on this MS fix -- as far as I
can understand MS blocked it not because it was not in the RFC, but
because it could be used against people.
And, the point here is that it could be used due to OTHER IE
vulnerabilities.
As Valdis said earlier, user:password@...e is a DE FACTO standard. It
goes against the RFC? Well, get over it. Such is life. It has not been
the first time, and it will not be the last one. What defines a
de facto standard is prevalence of use. Nobody can argue that the IE
browser is not prevalent...
Is it a Real Bad Idea? Yes, certainly. Should it be used? No. But,
still, MS implemented it, and promoted it's use. Now, due to their
inability to fix OTHER problems, they took it out. Finally -- from a
security point of view, I am really glad. But it was still a (de
facto) standard, still a standard, still a standard.
So obviously there are people out there that will have to scramble to
get their things back working. After all, MS suddenly took it out...
and, also expected, MS would have to provide a backdoor. We can just
hope that a future fix will take it out for once and for all.
..hggdh..
Powered by blists - more mailing lists