«

I have got quite a few bookmarks to secure pages bookmarked similar
to the format below, with the username and password embedded into the
url. This prevents me needing to type it in each time I access the
page.
http://username:razz:assword@website...ure/index.html
However since I installed the latest security fixes to IE, IE no
longer allows me to access the page this way. Does anyone know if they
have now removed this feature due to the recent security flaws found
in IE.
It still works in opera, although opera conceals the passsword in the
url which is far more secure.

Max wrote:
> http://username:razz:assword@website...ure/index.html
> However since I installed the latest security fixes to IE, IE no
> longer allows me to access the page this way. Does anyone know if they
> have now removed this feature due to the recent security flaws found
> in IE.

Yep.. this is the glitch that they fixed... mozilla still lets you do it
but for how long, no-one knows... it's not a good way tp do it anyway...
passwords shouldn't be saved.

--
Http://www.Dave.net.nz
Play Hangman
Register, and play Space Invaders or Pacman.

Max scribbled:

> I have got quite a few bookmarks to secure pages bookmarked similar
> to the format below, with the username and password embedded into the
> url. This prevents me needing to type it in each time I access the
> page.
> http://username:razz:assword@website...ure/index.html
> However since I installed the latest security fixes to IE, IE no
> longer allows me to access the page this way. Does anyone know if they
> have now removed this feature due to the recent security flaws found
> in IE.
> It still works in opera, although opera conceals the passsword in the
> url which is far more secure.


An explanation on why it's happening after the update is applied:
http://zdnet.com.com/2100-1105_2-5153534.html

And how to fix it here.....
http://support.microsoft.com/default...b;en-us;834489


Personally I wont be fixing/reversing this update because some webpage
designer/owner insists on having users provide their passwords in plain text
just to use their services....

--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

On Sat, 7 Feb 2004 11:17:56 +1300, "Max Burke" <mlvburke@%$%#@.nz>
wrote:

>Max scribbled:
>
>> I have got quite a few bookmarks to secure pages bookmarked similar
>> to the format below, with the username and password embedded into the
>> url. This prevents me needing to type it in each time I access the
>> page.
>> http://username:razz:assword@website...ure/index.html
>> However since I installed the latest security fixes to IE, IE no
>> longer allows me to access the page this way. Does anyone know if they
>> have now removed this feature due to the recent security flaws found
>> in IE.
>> It still works in opera, although opera conceals the passsword in the
>> url which is far more secure.
>
>
>An explanation on why it's happening after the update is applied:
>http://zdnet.com.com/2100-1105_2-5153534.html
>
>And how to fix it here.....
>http://support.microsoft.com/default...b;en-us;834489
>
>
>Personally I wont be fixing/reversing this update because some webpage
>designer/owner insists on having users provide their passwords in plain text
>just to use their services....


Thanks for that link. I think it is more the case that microsoft have
disabled a key feature instead of fixing it. Opera actually hides the
password details in the URL, so I don't know why MS couldn't do
something similar instead of saying 'too hard, just disable it,
otherwise we may get sued'.

"Max" <> wrote in message
news:...
>I have got quite a few bookmarks to secure pages bookmarked similar
> to the format below, with the username and password embedded into the
> url. This prevents me needing to type it in each time I access the
> page.
> http://username:razz:assword@website...ure/index.html
> However since I installed the latest security fixes to IE, IE no
> longer allows me to access the page this way. Does anyone know if they
> have now removed this feature due to the recent security flaws found
> in IE.
> It still works in opera, although opera conceals the passsword in the
> url which is far more secure.


Security before features, note this is off for http/https not ftp

If you really want to continue sending your credentials in clear text you
can enable this feature

http://support.microsoft.com/default...b;en-us;834489

Personally I'd be getting website.com to change the way they force me to
logon to their site

How to disable the new default behavior for handling user information in
HTTP or HTTPS URLs
To disable the new default behavior in Windows Explorer and Internet
Explorer, create iexplore.exe and explorer.exe DWORD values in one of the
following registry keys and set their value data to 0.
For all users of the program, set the value in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

For the current user of the program only, set the value in the following
registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME _PASSWORD_DISABLE

On Sat, 07 Feb 2004 12:22:25 +1300, Max <>
wrote:
>
>Thanks for that link. I think it is more the case that microsoft have
>disabled a key feature instead of fixing it. Opera actually hides the
>password details in the URL, so I don't know why MS couldn't do
>something similar instead of saying 'too hard, just disable it,
>otherwise we may get sued'.
>
It's not that. What you are doing is a really bad idea. You are
sending your password over the Internet in clear text. Opera may
"hide" the password in the URL, but it's still being *sent* as clear
text. All that Opera does is prevent someone from reading your
password over your shoulder.

If you just send the URL, no user/password, what happens is that the
site that you are connecting to will set up a secure (encrypted)
connection and sends you the login box. you fill this in and send it,
encrypted, back to the secure site. So your username and password
never get sent as clear text.

Cheers,

Cliff
--

I think that Don Brash is a Labour mole.
That would explain everything.

> Max scribbled:

>> Max Burke wrote:

> I have got quite a few bookmarks to secure pages bookmarked similar
> to the format below, with the username and password embedded into
> the url. This prevents me needing to type it in each time I access
> the page.
> http://username:razz:assword@website...ure/index.html
> However since I installed the latest security fixes to IE, IE no
> longer allows me to access the page this way. Does anyone know if
> they have now removed this feature due to the recent security flaws
> found in IE.
> It still works in opera, although opera conceals the passsword in
> the url which is far more secure.

>> An explanation on why it's happening after the update is applied:
>> http://zdnet.com.com/2100-1105_2-5153534.html

>> And how to fix it here.....
>> http://support.microsoft.com/default...b;en-us;834489

>> Personally I wont be fixing/reversing this update because some
>> webpage designer/owner insists on having users provide their
>> passwords in plain text just to use their services....


> Thanks for that link. I think it is more the case that microsoft have
> disabled a key feature instead of fixing it. Opera actually hides the
> password details in the URL, so I don't know why MS couldn't do
> something similar instead of saying 'too hard, just disable it,
> otherwise we may get sued'.

<quote>
"In fact, the usernameassword convention is mentioned in a document of the
Internet Engineering Task Force called RFC 2396. However, the IETF's opinion
appears to be that this practice is not recommended. The IETF's reticence
appears to be not so much about phishing as the issue of passing usernames
and passwords as clear text (as they are when embedded in URLs like this).

So Microsoft can now say that, in this respect at least, its browser is more
secure than those of the competition.

http://comment.zdnet.co.uk/mattloney...45547-2,00.htm
<end quote>


--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

Enkidu wrote:

> It's not that. What you are doing is a really bad idea. You are
> sending your password over the Internet in clear text. Opera may
> "hide" the password in the URL, but it's still being *sent* as clear
> text. All that Opera does is prevent someone from reading your
> password over your shoulder.
>
> If you just send the URL, no user/password, what happens is that the
> site that you are connecting to will set up a secure (encrypted)
> connection and sends you the login box. you fill this in and send it,
> encrypted, back to the secure site. So your username and password
> never get sent as clear text.

Err, no, this is basic authentication, it is sent as cleartext as an HTTP
header, no difference if you put it in the popup authentication box, or the URL
itself.

https:// urls are the only time you are using a secure connection.

IE also hides the password when you access an FTP site in that manner.

On Sun, 08 Feb 2004 10:48:56 +1300, Richard Malcolm-Smith
<> wrote:

>Enkidu wrote:
>
>> It's not that. What you are doing is a really bad idea. You are
>> sending your password over the Internet in clear text. Opera may
>> "hide" the password in the URL, but it's still being *sent* as clear
>> text. All that Opera does is prevent someone from reading your
>> password over your shoulder.
>>
>> If you just send the URL, no user/password, what happens is that the
>> site that you are connecting to will set up a secure (encrypted)
>> connection and sends you the login box. you fill this in and send it,
>> encrypted, back to the secure site. So your username and password
>> never get sent as clear text.
>
>Err, no, this is basic authentication, it is sent as cleartext as an HTTP
>header, no difference if you put it in the popup authentication box, or the URL
>itself.
>
Yes, you are 100% correct. I don't know where my brain was at the time
that I wrote that.

Cheers,

Cliff
--

I think that Don Brash is a Labour mole.
That would explain everything.

>>Err, no, this is basic authentication, it is sent as cleartext as an HTTP
>>header, no difference if you put it in the popup authentication box, or the URL
>>itself.
>>
>
> Yes, you are 100% correct. I don't know where my brain was at the time
> that I wrote that.

Good thing this updates damage is reverable. I use the usernameassword@
notation for my bookmarks to my wireless accesspoints and router. Have to use IE
for the dlinks or it doesnt work...