FYI - member area - username:password@

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • jibious
    New Member
    • Mar 2003
    • 28
    • 3.0.1

    FYI - member area - username:password@

    just an FYI for IE6SP1 users who updated the latest Microsoft patches (specifically MS04-007, i believe - the ASN.1 vulnerability)

    http://username[email protected]/members/ will no longer work, as usernameassword@ is no longer being passed over on URLs. this is non-RFC, so you MIGHT expect a fix one day or the other from microsoft. this would affect any 'Favorites' or links that you click on that are formatted this way.

    i would suggest installing Mozilla Firefox v0.8 and using it for now.
  • filburt1
    Senior Member
    • Feb 2002
    • 6606

    #2
    Microsoft made the change to stop spoofers from tricking unsuspecting users into giving up personal information on normally trusted sites. I would hardly consider it a reason to switch to Firefox if the user is already confortable with IE.
    --filburt1, vBulletin.org/vBulletinTemplates.com moderator
    Web Design Forums.net: vB Board of the Month
    vBulletin Mail System (vBMS): webmail for your forum users

    Comment

    • Thomas P
      Senior Member
      • Apr 2001
      • 1497
      • 5.6.4

      #3
      Hmmm, isn't there a https access to the member site?
      www.MCSEboard.de
      German Windows Server & IT Pro Community dedicated to Windows Client & Server Systems. MVPs inside

      Comment

      • Floris
        Senior Member
        • Dec 2001
        • 37767

        #4
        With that many security issues with Microsoft products .. I don't feel safe putting my favorite .html file full with user[email protected] information

        Comment

        • DWZ
          Senior Member
          • Jan 2002
          • 985
          • 2.2.9

          #5
          Yes, I read in the news that Microsoft was planning on doing this. Then one day I went to Windows Updates and got a whole lot of critical updates to find that one of them removed the usernameassword@domain feature, which is, well, annoying.

          I eneded up finding a registry "fix" that reversed the problem

          Comment

          • Stadler
            Senior Member
            • Oct 2001
            • 1021
            • 4.2.X

            #6
            Ugh, this is a poor fix IMHO. Is M$ so unfit to fix such a bug, so that they apply such a crappy workaround?
            Hints & Tips:
            [[vB3] More Spiders / Indexers / Archives for vB3 - list]|[List of one-time-emails to ban]


            http://sfx-images.mozilla.org/affili...efox_80x15.png

            Comment

            • merk
              Senior Member
              • Jul 2001
              • 4149

              #7
              Why is it crappy? You're storing your password data in plain text!

              At least let the window pop up and choose "save password" so it is stored in a safer protected area on your harddrive!

              Good move for microsoft, imo - having people spoof urls around that look like they come from proper domains really sucks.

              Not a reason to switch browsers, there are other better (more secure) solutions available for password management.

              Comment

              • Stadler
                Senior Member
                • Oct 2001
                • 1021
                • 4.2.X

                #8
                The fix is crappy. I didn't say, that it's a good idea to store any passwords in plain text.
                Hints & Tips:
                [[vB3] More Spiders / Indexers / Archives for vB3 - list]|[List of one-time-emails to ban]


                http://sfx-images.mozilla.org/affili...efox_80x15.png

                Comment

                • DWZ
                  Senior Member
                  • Jan 2002
                  • 985
                  • 2.2.9

                  #9
                  There are times when I'm on a secure website which requires me to go another secure website so it gives the login/password in the form of http://username[email protected]/ to save me having to type in the login and password.

                  Whilst Microsoft may think it, I'm not an idiot and realize http://mybank.com/info:[email protected]/ is not the best place to confirm my login information when I'm sent a spam email....

                  Comment

                  • filburt1
                    Senior Member
                    • Feb 2002
                    • 6606

                    #10
                    Originally posted by Stadler
                    Ugh, this is a poor fix IMHO. Is M$ so unfit to fix such a bug, so that they apply such a crappy workaround?
                    It's not fixing a bug, it is protecting users from their own dangerous behavior: saving passwords in plain text (the equivalent of security suicide) and deceptive links.

                    I have never--NEVER--had a need to use the usernameassword@ method of logging into a site.

                    I also have a hard time taking people seriously who spell Microsoft or MS with a dollar sign.

                    Besides, this is not a debate for Microsoft's security responses; the warning, such as it is, about the Member's Area has been posted and is over with.
                    --filburt1, vBulletin.org/vBulletinTemplates.com moderator
                    Web Design Forums.net: vB Board of the Month
                    vBulletin Mail System (vBMS): webmail for your forum users

                    Comment

                    • jibious
                      New Member
                      • Mar 2003
                      • 28
                      • 3.0.1

                      #11
                      i guess its okay to write a bug fix thats against RFC standards... and hey, it only took them six months to put this fix out.

                      i just think they could have done a lot more in that six months to actually FIX the issue and not create a new one (one of RFC compliancy).

                      personally, i liked the feature. but on usernameassword@ sites, you were not able to save images as .jpg files (yes, i used to look at porn). every other browser, you could. its just been bad coding on their part in this aspect for some years now...

                      Comment

                      • seanf
                        Member
                        • Jul 2002
                        • 89

                        #12
                        Originally posted by jibious
                        ... this is non-RFC ...
                        If you actually read the RFC you'll see that it is not recommended:

                        Some URL schemes use the format "userassword" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used.
                        Sean
                        SitePoint Advisor (seanf)
                        http://sitepointforums.com
                        Harry Potter

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...