Latest IE patch breaking non username:password@encoded websites?
We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. [EMAIL PROTECTED]
RE: Latest IE patch breaking non username:password@encoded websites?
Yes. From MS: (a registry-based fix is detailed in the KB article) This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update: http(s)://username:[EMAIL PROTECTED]/resource.ext For more information about this change, please see Microsoft Knowledge Base article 834489. Bob German Director, Operations Engineering Irides, LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herman Harless Sent: Tuesday, February 03, 2004 12:27 PM To: nanog Subject: Latest IE patch breaking non username:[EMAIL PROTECTED] websites? We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. [EMAIL PROTECTED]
Re: Latest IE patch breaking non username:password@encoded websites?
Yes they broke basic auth in a URL. I am uncertain as to why it was necessary to remove this functionality. Bryan - Original Message - From: Herman Harless [EMAIL PROTECTED] To: nanog [EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:26 AM Subject: Latest IE patch breaking non username:[EMAIL PROTECTED] websites? We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. [EMAIL PROTECTED]
Re: Latest IE patch breaking non username:password@encoded websites?
Herman Harless [2/3/2004 10:56 PM] : We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Yup - that is a feature supposed to avoid credit card phish sites that try to spoof ebay with [EMAIL PROTECTED]/billing etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Latest IE patch breaking non username:password@encoded websites?
--On Tuesday, February 03, 2004 11:34 AM -0600 Bryan Heitman [EMAIL PROTECTED] wrote: Yes they broke basic auth in a URL. I am uncertain as to why it was necessary to remove this functionality. My guess is that too many people were getting burned by URLs like this: http://[EMAIL PROTECTED] -Jeff -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
RE: Latest IE patch breaking non username:password@encoded websites?
Yes they broke basic auth in a URL. I am uncertain as to why it was necessary to remove this functionality. Bryan Apparently, there were ways to use this to make one URL look like the URL of another site. According to Microsoft, it isn't just '[EMAIL PROTECTED]/foo', but there were other problems involving being able to completely fool even technically savvy people (that is, nothing on the screen would reveal the real source of the web page you were looking at and every visible indicator was spoofable). DS
Re: Latest IE patch breaking non username:password@encoded websites?
On Tue, 3 Feb 2004, Jeff Workman wrote: My guess is that too many people were getting burned by URLs like this: http://[EMAIL PROTECTED] -Jeff Right but the bug wasn't basic auth in a URL it was that the %01 character stopped Outlook and IE from displaying the rest of the URL, so http://[EMAIL PROTECTED]/ would show just www.ebay.com in both outlook and the URL bar. The problem isn't the auth but the masking ability of the escaped characters. Oh well, one more standard Embraced and Extended by the beast -S -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814
RE: Latest IE patch breaking non username:password@encoded websites?
Sorry - Mostly non-password encoded forms that don't refresh when you hit submit. After Submitting 3 or 4 times they seem to work. Like most ISP's, we take calls when somebody's web site doesn't work, even if we don't even host it. On Tue, 2004-02-03 at 12:24, Conrad Golightly wrote: Can you give us some more detail about what they ARE seeing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herman Harless Sent: Tuesday, February 03, 2004 11:27 AM To: nanog Subject: Latest IE patch breaking non username:[EMAIL PROTECTED] websites? We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. [EMAIL PROTECTED] --- [This E-mail scanned for viruses]
Re: Latest IE patch breaking non username:password@encoded websites?
I rather treat this patch as a _bug_. user:[EMAIL PROTECTED] format is used (I have 3 or 4 instances in monitoring system, to allow automatic proxy onto the system with 'guest' user name, for example). To block scam, it was sufficient to restrict username length, or to set up a checkbox in explorer setting. The whole idea is wrong - instead of fixing IE (just show REAL host name, for example), MS decided to drop functionality. We (in our company) adviced people _against_ this patch. It broke legitimate addresses, and fix a very rare and exotic problem... which can be fixed by many other ways. Sorry - Mostly non-password encoded forms that don't refresh when you hit submit. After Submitting 3 or 4 times they seem to work. Like most ISP's, we take calls when somebody's web site doesn't work, even if we don't even host it. On Tue, 2004-02-03 at 12:24, Conrad Golightly wrote: Can you give us some more detail about what they ARE seeing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Herman Harless Sent: Tuesday, February 03, 2004 11:27 AM To: nanog Subject: Latest IE patch breaking non username:[EMAIL PROTECTED] websites? We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Herman Harless Director, Advanced Data Network Engineering and Operations NTELOS, Inc. [EMAIL PROTECTED] --- [This E-mail scanned for viruses]
Re: Latest IE patch breaking non username:password@encoded websites?
So, instead of changing 'visialization' part of IE, MS give up and decided to drop important piece of standard? Ok, you can always show HOST name in URL, dim user name, and position location so that you can see real host. You can show a warning, if user name looks like real domain name (have . inside and have 2 - 4 chars in last piece of name), etc etc... Herman Harless [2/3/2004 10:56 PM] : We're starting to take complaints from folks who have installed the latest IE patch about various broken website functionality. The complaints are not related to folks trying to use the username:password@ functionality that was removed by the patch. Is anyone taking similar calls / seeing similar issues? Yup - that is a feature supposed to avoid credit card phish sites that try to spoof ebay with [EMAIL PROTECTED]/billing etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Latest IE patch breaking non username:password@encoded websites?
On Tue, 3 Feb 2004, Alexei Roudnev wrote: So, instead of changing 'visialization' part of IE, MS give up and decided to drop important piece of standard? Placing the username and password in a URL has been deprecated for HTTP. From RFC 2616: 3.2.2 http URL The http scheme is used to locate network resources via the HTTP protocol. This section defines the scheme-specific syntax and semantics for http URLs. http_URL = http: // host [ : port ] [ abs_path [ ? query ]] Duane W.
