Previous Entry Share Next Entry
Again on the Microsoft thing
One of the vulnerabilities corrected by the update I mentioned in the last post is the one where someone can alter what is displayed in the address bar, such that you think you are using, but you are actually using password capturing site

Microsoft has now disabled the use of basic auth within URLs. ie:

Good one! Now, it probably will help avoid some problems and it's not like there's a great need for such URLs anyway, but... I just can't help but think Microsoft is saying "look, we can't be sure how many more problems are going to surface in this software, so let's just cripple it a bit so that undiscovered vulnerabilities can't be exploited so easily".

  • 1
If they were smart, they could use Opera's approach:
  • pop up a warning each time someone visits a site with a username in the URL
  • display the username and server in the dialog box
  • mask the password portion of the URL with asterisks: http://user:****

  • 1

Log in

No account? Create an account