Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

iburrell (4155)

iburrell
  ianburrellNO@SPAMgmail.com
http://znark.com/
AOL IM: imburrell (Add Buddy, Send Message)
Jabber: ianburrell@gmail.com

Journal of iburrell (4155)

Monday February 02, 2004
08:14 PM

HTTP URLs and authentication

[ #17164 ]
Microsoft just posted a security update for Internet Explorer. One of the fixes is to disabled username and passwords for HTTP URLs. This is to prevent spoofing sites with URLs like http://www.paypal.com@evilscammer.com/ that confuse naive users about which sites they are browinsg. Unluckily, it violates the URL standard and breaks useful behavior.

This affects one of our websites. The protected section of the website uses basic authentication. The username and password are put in the URL to access the content pages. This is a pretty stupid way of doing authentication since the username and password are exposed. But the content pages are accessed through a CGI script and in a frame so the URLs are not visible.

I think Microsoft should have chosen a different solution to the problem. This would be not showing the username and password in the URL bar or status bar. The username (and auth mechanism) should show in a "Page Info". Hiding information is bad (it would make debugging harder) but deceiving users is worse.

To make it clear when the authentication happens, the window should popup but with the username and password filled in from the URL. This makes it obvious that authentication is happening. It also lets the user see the username and password. This doesn't help with spoof sites which probably don't use any authentication.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.