We're starting to take complaints from folks who have installed the
latest IE patch about various broken website functionality. The
complaints are not related to folks trying to use the username:password@
functionality that was removed by the patch.
Is anyone taking similar calls / seeing similar issues?
Herman Harless
Director, Advanced Data Network Engineering and Operations
NTELOS, Inc.
herman@ntelos.net
Yes. From MS: (a registry-based fix is detailed in the KB article)
This Internet Explorer cumulative update also includes a change to the
functionality of a Basic Authentication feature in Internet Explorer.
The update removes support for handling user names and passwords in HTTP
and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft
Internet Explorer. The following URL syntax is no longer supported in
Internet Explorer or Windows Explorer after you install this software
update:
http(s)://username:password@server/resource.ext
For more information about this change, please see Microsoft Knowledge
Base article 834489.
Bob German
Director, Operations & Engineering
Irides, LLC
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
Bryan
Herman Harless [2/3/2004 10:56 PM] :
We're starting to take complaints from folks who have installed the
latest IE patch about various broken website functionality. The
complaints are not related to folks trying to use the username:password@
functionality that was removed by the patch.Is anyone taking similar calls / seeing similar issues?
Yup - that is a "feature" supposed to avoid credit card phish sites that try to spoof ebay with billing.ebay.com@some.evil.server/billing etc
My guess is that too many people were getting burned by URLs like this:
http://www.microsoft.com@%77%77%77%2E%70%69%6D%70%77%6F%72%6B%73%2E%6F%72%67
-Jeff
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
Bryan
Apparently, there were ways to use this to make one URL look like the URL
of another site. According to Microsoft, it isn't just
'www.microsoft.com@63.49.11.12/foo', but there were other problems involving
being able to completely fool even technically savvy people (that is,
nothing on the screen would reveal the real source of the web page you were
looking at and every visible indicator was spoofable).
DS
Right but the bug wasn't basic auth in a URL it was that the %01 character
stopped Outlook and IE from displaying the rest of the URL, so
http://www.ebay.com@boogeyman.gov/ would show just "www.ebay.com" in
both outlook and the URL bar.
The problem isn't the auth but the masking ability of the escaped
characters.
Oh well, one more standard "Embraced and Extended" by the beast....
-S
So, instead of changing 'visialization' part of IE, MS give up and decided
to drop important piece of standard?
Ok, you can always show HOST name in URL, dim user name, and position
location so that you can see real host. You can show a warning, if user name
looks like real domain name (have . inside and have 2 - 4 chars in last
piece of name), etc etc...
Placing the username and password in a URL has been deprecated for
HTTP. From RFC 2616:
3.2.2 http URL
The "http" scheme is used to locate network resources via the HTTP
protocol. This section defines the scheme-specific syntax and
semantics for http URLs.
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
Duane W.