Log in

No account? Create an account
Previous Entry Share Next Entry
Again on the Microsoft thing
One of the vulnerabilities corrected by the update I mentioned in the last post is the one where someone can alter what is displayed in the address bar, such that you think you are using http://www.westpac.com.au, but you are actually using password capturing site http://www.westpac.com.au:blah@actual.domain.example

Microsoft has now disabled the use of basic auth within URLs. ie: http://username:password@example.com

Good one! Now, it probably will help avoid some problems and it's not like there's a great need for such URLs anyway, but... I just can't help but think Microsoft is saying "look, we can't be sure how many more problems are going to surface in this software, so let's just cripple it a bit so that undiscovered vulnerabilities can't be exploited so easily".

  • 1
If they were smart, they could use Opera's approach:
  • pop up a warning each time someone visits a site with a username in the URL
  • display the username and server in the dialog box
  • mask the password portion of the URL with asterisks: http://user:****@example.com

  • 1