January 29, 2004
Microsoft to remove support for usernames in http urls
There has been much talk in recent years about the security hazards of a deceiving practice that was little known outside the IT security communities: using the http://username@hostname/ syntax for an URL to fool the user into going to a unexpected website: just use a hostname in the username part, as in http://www.cnn.com@extelligence.ringlet.net/, and there are people who would really think they are going to the CNN site. This works even better if the real hostname is disguised as an IP address or some other weird representation, like binary or just URL-encoding. Recently, this has become more widely known, as several large-scale scamming operations used this technique to lure unsuspecting users to their own websites.
Now, NetCraft reports that Microsoft has decided to remove the support for username@hostname HTTP URL's from Internet Explorer. Some might see this as a deviation from standards; I personally see it as an unfortunately needed bandaid, which removes very, very rarely used functionality.
Somewhat to my surprise, I actually find that I am with Microsoft on this one, my rants about Outlook 2003's mishandling of Message-Id notwithstanding. There are just two things that bother me somewhat. It would be nice if they would not touch FTP URL's, since, much as I abhor using a browser as an FTP client (that's a subject for another rant, but it *will* be a vicious one), it is sometimes the easiest way. And the other thing - I wonder if the username@hostname support for HTTP could be made an option, off by default, not removed altogether. It may be very rarely used, but it still might come in handy once in a long while.
Posted by roam at January 29, 2004 04:10 PM
[ scheme ] [ user : pass @ ] host [ directory ]
is valid but URI scheme but it is not valid HTTP URI. Check the HTTP RFC. So in this case MS is following standards (I sure hope that mozilla would follow)
Microsoft have now released an official update about the removal of support for usernames in HTTP/HTTPS URL's. The great (yep, great, not just good) news is that this will indeed be done for HTTP and HTTPS only, and it will...
(read more...)
January 30, 2004 08:15 PM