lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: r.hatch at (Richard Hatch)
Subject: Microsoft removes 'user:passwd@...e' support

I have read with (initial) interest (some of) the posts about Microsoft
removing the user:password@...e format support for URLs.

OK, so some people have valid URLs of the type.
As the saying goes, deviate from a standard (or RFC) at your own peril.

Was Microsoft 'wrong' to simply remove this support?  Maybe.
Were people wrong to register domain names with reserved characters? Maybe.

I am not a Microsoft fan, but given the huge number of email scams relying
on this type of URL, something clearly had to be done to help protect users.
Microsoft could have simply said "It's not our fault, we can't fix this
without breaking other things".

I find it curious that this type of response has not been prompted by the
"Hide known file extensions" feature of Windows.
People may think "Why is someone I don't know sending me anna.jpg?" before
they click on the file.
If the filename was anna.jpg.exe, most users think that something fishy was
going on.

As far as I am concerned, the bottom line is that Microsoft's fix will help
more people than will be affected by it.  If people are so bothered by this,
use a different browser.

It does surprise me that some people in the IT security industry complain
about the lack of security awareness amongst users on one hand, and argue
about keeping support for methods that have been proven to fool users into
click strange URL links.

It seems to me that people are so eager to continue pet arguments (ie
anti-Microsoft) that any action by Microsoft is immediately scorned.

Lets stop the flame wars and get back to sharing information so that users
can be better protected.

R. Hatch

Powered by blists - more mailing lists