Latest IE patch breaking non username:password@encoded websites?
We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. herman@ntelos.net
Yes. From MS: (a registry-based fix is detailed in the KB article) This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update: http(s)://username:password@server/resource.ext For more information about this change, please see Microsoft Knowledge Base article 834489. Bob German Director, Operations & Engineering Irides, LLC -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Herman Harless Sent: Tuesday, February 03, 2004 12:27 PM To: nanog Subject: Latest IE patch breaking non username:password@encoded websites? We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. herman@ntelos.net
Yes they broke basic auth in a URL. I am uncertain as to why it was necessary to remove this functionality. Bryan ----- Original Message ----- From: "Herman Harless" <herman@ntelos.net> To: "nanog" <nanog@merit.edu> Sent: Tuesday, February 03, 2004 11:26 AM Subject: Latest IE patch breaking non username:password@encoded websites?
We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch.
Is anyone taking similar calls / seeing similar issues?
Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. herman@ntelos.net
--On Tuesday, February 03, 2004 11:34 AM -0600 Bryan Heitman <bryan@bryanheitman.com> wrote:
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
My guess is that too many people were getting burned by URLs like this: http://www.microsoft.com@%77%77%77%2E%70%69%6D%70%77%6F%72%6B%73%2E%6F%72%67 -Jeff -- Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
On Tue, 3 Feb 2004, Jeff Workman wrote:
My guess is that too many people were getting burned by URLs like this:
http://www.microsoft.com@%77%77%77%2E%70%69%6D%70%77%6F%72%6B%73%2E%6F%72%67
-Jeff
Right but the bug wasn't basic auth in a URL it was that the %01 character stopped Outlook and IE from displaying the rest of the URL, so http://www.ebay.com%01@boogeyman.gov/ would show just "www.ebay.com" in both outlook and the URL bar. The problem isn't the auth but the masking ability of the escaped characters. Oh well, one more standard "Embraced and Extended" by the beast.... -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
Yes they broke basic auth in a URL.
I am uncertain as to why it was necessary to remove this functionality.
Bryan
Apparently, there were ways to use this to make one URL look like the URL of another site. According to Microsoft, it isn't just 'www.microsoft.com@63.49.11.12/foo', but there were other problems involving being able to completely fool even technically savvy people (that is, nothing on the screen would reveal the real source of the web page you were looking at and every visible indicator was spoofable). DS
Herman Harless [2/3/2004 10:56 PM] :
We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch.
Is anyone taking similar calls / seeing similar issues?
Yup - that is a "feature" supposed to avoid credit card phish sites that try to spoof ebay with billing.ebay.com@some.evil.server/billing etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
So, instead of changing 'visialization' part of IE, MS give up and decided to drop important piece of standard? Ok, you can always show HOST name in URL, dim user name, and position location so that you can see real host. You can show a warning, if user name looks like real domain name (have . inside and have 2 - 4 chars in last piece of name), etc etc...
Herman Harless [2/3/2004 10:56 PM] :
We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch.
Is anyone taking similar calls / seeing similar issues?
Yup - that is a "feature" supposed to avoid credit card phish sites that try to spoof ebay with billing.ebay.com@some.evil.server/billing etc
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Tue, 3 Feb 2004, Alexei Roudnev wrote:
So, instead of changing 'visialization' part of IE, MS give up and decided to drop important piece of standard?
Placing the username and password in a URL has been deprecated for HTTP. From RFC 2616: 3.2.2 http URL The "http" scheme is used to locate network resources via the HTTP protocol. This section defines the scheme-specific syntax and semantics for http URLs. http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] Duane W.
participants (9)
-
Alexei Roudnev -
Bob German -
Bryan Heitman -
David Schwartz -
Duane Wessels -
Herman Harless -
Jeff Workman -
Scott Call -
Suresh Ramasubramanian