Internet Explorer issue

Discussion in 'NZ Computing' started by Max, Feb 6, 2004.

  1. Max

    Max Guest

    I have got quite a few bookmarks to secure pages bookmarked similar
    to the format below, with the username and password embedded into the
    url. This prevents me needing to type it in each time I access the
    page.
    http://username:/secure/index.html
    However since I installed the latest security fixes to IE, IE no
    longer allows me to access the page this way. Does anyone know if they
    have now removed this feature due to the recent security flaws found
    in IE.
    It still works in opera, although opera conceals the passsword in the
    url which is far more secure.
     
    Max, Feb 6, 2004
    #1
    1. Advertising

  2. Max wrote:
    > http://username:/secure/index.html
    > However since I installed the latest security fixes to IE, IE no
    > longer allows me to access the page this way. Does anyone know if they
    > have now removed this feature due to the recent security flaws found
    > in IE.


    Yep.. this is the glitch that they fixed... mozilla still lets you do it
    but for how long, no-one knows... it's not a good way tp do it anyway...
    passwords shouldn't be saved.

    --
    Http://www.Dave.net.nz
    Play Hangman
    Register, and play Space Invaders or Pacman.
     
    T.N.O. - Dave.net.nz, Feb 6, 2004
    #2
    1. Advertising

  3. Max

    Max Burke Guest

    Max scribbled:

    > I have got quite a few bookmarks to secure pages bookmarked similar
    > to the format below, with the username and password embedded into the
    > url. This prevents me needing to type it in each time I access the
    > page.
    > http://username:/secure/index.html
    > However since I installed the latest security fixes to IE, IE no
    > longer allows me to access the page this way. Does anyone know if they
    > have now removed this feature due to the recent security flaws found
    > in IE.
    > It still works in opera, although opera conceals the passsword in the
    > url which is far more secure.



    An explanation on why it's happening after the update is applied:
    http://zdnet.com.com/2100-1105_2-5153534.html

    And how to fix it here.....
    http://support.microsoft.com/default.aspx?scid=kb;en-us;834489


    Personally I wont be fixing/reversing this update because some webpage
    designer/owner insists on having users provide their passwords in plain text
    just to use their services....

    --
    mlvburke@#%&*.net.nz
    Replace the obvious with paradise to email me.
    See Found Images at:
    http://homepages.paradise.net.nz/~mlvburke/
     
    Max Burke, Feb 6, 2004
    #3
  4. Max

    Max Guest

    On Sat, 7 Feb 2004 11:17:56 +1300, "Max Burke" <mlvburke@%$%#@.nz>
    wrote:

    >Max scribbled:
    >
    >> I have got quite a few bookmarks to secure pages bookmarked similar
    >> to the format below, with the username and password embedded into the
    >> url. This prevents me needing to type it in each time I access the
    >> page.
    >> http://username:/secure/index.html
    >> However since I installed the latest security fixes to IE, IE no
    >> longer allows me to access the page this way. Does anyone know if they
    >> have now removed this feature due to the recent security flaws found
    >> in IE.
    >> It still works in opera, although opera conceals the passsword in the
    >> url which is far more secure.

    >
    >
    >An explanation on why it's happening after the update is applied:
    >http://zdnet.com.com/2100-1105_2-5153534.html
    >
    >And how to fix it here.....
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
    >
    >
    >Personally I wont be fixing/reversing this update because some webpage
    >designer/owner insists on having users provide their passwords in plain text
    >just to use their services....



    Thanks for that link. I think it is more the case that microsoft have
    disabled a key feature instead of fixing it. Opera actually hides the
    password details in the URL, so I don't know why MS couldn't do
    something similar instead of saying 'too hard, just disable it,
    otherwise we may get sued'.
     
    Max, Feb 6, 2004
    #4
  5. "Max" <> wrote in message
    news:...
    >I have got quite a few bookmarks to secure pages bookmarked similar
    > to the format below, with the username and password embedded into the
    > url. This prevents me needing to type it in each time I access the
    > page.
    > http://username:/secure/index.html
    > However since I installed the latest security fixes to IE, IE no
    > longer allows me to access the page this way. Does anyone know if they
    > have now removed this feature due to the recent security flaws found
    > in IE.
    > It still works in opera, although opera conceals the passsword in the
    > url which is far more secure.



    Security before features, note this is off for http/https not ftp

    If you really want to continue sending your credentials in clear text you
    can enable this feature

    http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

    Personally I'd be getting website.com to change the way they force me to
    logon to their site

    How to disable the new default behavior for handling user information in
    HTTP or HTTPS URLs
    To disable the new default behavior in Windows Explorer and Internet
    Explorer, create iexplore.exe and explorer.exe DWORD values in one of the
    following registry keys and set their value data to 0.
    For all users of the program, set the value in the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
    Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

    For the current user of the program only, set the value in the following
    registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Internet
    Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
     
    Nathan Mercer, Feb 7, 2004
    #5
  6. Max

    Enkidu Guest

    On Sat, 07 Feb 2004 12:22:25 +1300, Max <>
    wrote:
    >
    >Thanks for that link. I think it is more the case that microsoft have
    >disabled a key feature instead of fixing it. Opera actually hides the
    >password details in the URL, so I don't know why MS couldn't do
    >something similar instead of saying 'too hard, just disable it,
    >otherwise we may get sued'.
    >

    It's not that. What you are doing is a really bad idea. You are
    sending your password over the Internet in clear text. Opera may
    "hide" the password in the URL, but it's still being *sent* as clear
    text. All that Opera does is prevent someone from reading your
    password over your shoulder.

    If you just send the URL, no user/password, what happens is that the
    site that you are connecting to will set up a secure (encrypted)
    connection and sends you the login box. you fill this in and send it,
    encrypted, back to the secure site. So your username and password
    never get sent as clear text.

    Cheers,

    Cliff
    --

    I think that Don Brash is a Labour mole.
    That would explain everything.
     
    Enkidu, Feb 7, 2004
    #6
  7. Max

    Max Burke Guest

    > Max scribbled:

    >> Max Burke wrote:


    > I have got quite a few bookmarks to secure pages bookmarked similar
    > to the format below, with the username and password embedded into
    > the url. This prevents me needing to type it in each time I access
    > the page.
    > http://username:/secure/index.html
    > However since I installed the latest security fixes to IE, IE no
    > longer allows me to access the page this way. Does anyone know if
    > they have now removed this feature due to the recent security flaws
    > found in IE.
    > It still works in opera, although opera conceals the passsword in
    > the url which is far more secure.


    >> An explanation on why it's happening after the update is applied:
    >> http://zdnet.com.com/2100-1105_2-5153534.html


    >> And how to fix it here.....
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;834489


    >> Personally I wont be fixing/reversing this update because some
    >> webpage designer/owner insists on having users provide their
    >> passwords in plain text just to use their services....



    > Thanks for that link. I think it is more the case that microsoft have
    > disabled a key feature instead of fixing it. Opera actually hides the
    > password details in the URL, so I don't know why MS couldn't do
    > something similar instead of saying 'too hard, just disable it,
    > otherwise we may get sued'.


    <quote>
    "In fact, the username:password convention is mentioned in a document of the
    Internet Engineering Task Force called RFC 2396. However, the IETF's opinion
    appears to be that this practice is not recommended. The IETF's reticence
    appears to be not so much about phishing as the issue of passing usernames
    and passwords as clear text (as they are when embedded in URLs like this).

    So Microsoft can now say that, in this respect at least, its browser is more
    secure than those of the competition.

    http://comment.zdnet.co.uk/mattloney/0,39020679,39145547-2,00.htm
    <end quote>


    --
    mlvburke@#%&*.net.nz
    Replace the obvious with paradise to email me.
    See Found Images at:
    http://homepages.paradise.net.nz/~mlvburke/
     
    Max Burke, Feb 7, 2004
    #7
  8. Enkidu wrote:

    > It's not that. What you are doing is a really bad idea. You are
    > sending your password over the Internet in clear text. Opera may
    > "hide" the password in the URL, but it's still being *sent* as clear
    > text. All that Opera does is prevent someone from reading your
    > password over your shoulder.
    >
    > If you just send the URL, no user/password, what happens is that the
    > site that you are connecting to will set up a secure (encrypted)
    > connection and sends you the login box. you fill this in and send it,
    > encrypted, back to the secure site. So your username and password
    > never get sent as clear text.


    Err, no, this is basic authentication, it is sent as cleartext as an HTTP
    header, no difference if you put it in the popup authentication box, or the URL
    itself.

    https:// urls are the only time you are using a secure connection.

    IE also hides the password when you access an FTP site in that manner.
     
    Richard Malcolm-Smith, Feb 7, 2004
    #8
  9. Max

    Enkidu Guest

    On Sun, 08 Feb 2004 10:48:56 +1300, Richard Malcolm-Smith
    <> wrote:

    >Enkidu wrote:
    >
    >> It's not that. What you are doing is a really bad idea. You are
    >> sending your password over the Internet in clear text. Opera may
    >> "hide" the password in the URL, but it's still being *sent* as clear
    >> text. All that Opera does is prevent someone from reading your
    >> password over your shoulder.
    >>
    >> If you just send the URL, no user/password, what happens is that the
    >> site that you are connecting to will set up a secure (encrypted)
    >> connection and sends you the login box. you fill this in and send it,
    >> encrypted, back to the secure site. So your username and password
    >> never get sent as clear text.

    >
    >Err, no, this is basic authentication, it is sent as cleartext as an HTTP
    >header, no difference if you put it in the popup authentication box, or the URL
    >itself.
    >

    Yes, you are 100% correct. I don't know where my brain was at the time
    that I wrote that.

    Cheers,

    Cliff
    --

    I think that Don Brash is a Labour mole.
    That would explain everything.
     
    Enkidu, Feb 7, 2004
    #9
  10. >>Err, no, this is basic authentication, it is sent as cleartext as an HTTP
    >>header, no difference if you put it in the popup authentication box, or the URL
    >>itself.
    >>

    >
    > Yes, you are 100% correct. I don't know where my brain was at the time
    > that I wrote that.


    Good thing this updates damage is reverable. I use the username:password@
    notation for my bookmarks to my wireless accesspoints and router. Have to use IE
    for the dlinks or it doesnt work...
     
    Richard Malcolm-Smith, Feb 8, 2004
    #10
  11. Richard Malcolm-Smith wrote:
    > Good thing this updates damage is reverable. I use the
    > username:password@ notation for my bookmarks to my wireless accesspoints
    > and router. Have to use IE for the dlinks or it doesnt work...


    Really? I find mozilla FB works fine to mine.

    --
    Http://www.Dave.net.nz
    Play Hangman
    Register, and play Space Invaders or Pacman.
     
    T.N.O. - Dave.net.nz, Feb 9, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Just Curious

    Internet Explorer Issue

    Just Curious, Feb 24, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    397
    Just Curious
    Feb 24, 2004
  2. Testiclees

    Internet Explorer issue. Starting way to slow

    Testiclees, May 30, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    2,073
    Toolman Tim
    May 30, 2004
  3. oldsoul
    Replies:
    10
    Views:
    12,549
  4. sandy j
    Replies:
    0
    Views:
    850
    sandy j
    May 2, 2009
  5. Nathan Sokalski
    Replies:
    16
    Views:
    3,451
    Vjekoslav
    Feb 22, 2010
Loading...

Share This Page