| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft to Remove Support for Usernames in http urls | |
|
||
| Time: 13:47 EST/18:47 GMT | News Source: Netcraft | Posted By: Robert Stein | ||
|
A forthcoming update to Internet Explorer will disallow the use of the "@" character in URLs, addressing an issue which has helped fraudsters to obscure the true destination in a web site addresses. Once the update is installed, including the @ symbol in urls will return an "invalid syntax error" message. Microsoft's advisory did not say when the update would be available. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 315 Last | Next |
The time now is
4:28:53 PM
ET.
Any comment problems? E-mail us |
| #1 By 2960 (156.80.64.137) at 1/28/2004 3:09:53 PM |
|
Hmmm... Might this not affect online storage ?
I'm a little fuzzy on the buzzwords I need to use here, but I remember logging on to certain online storage sites that used authentication in the url. TL |
| #2 By 61 (24.92.223.138) at 1/28/2004 3:45:12 PM |
| Yeah, I really don't like this. |
| #3 By 6859 (206.156.242.36) at 1/28/2004 4:40:47 PM |
|
bad move. Me no likey.
Let me clarify: I don't like that they're removing the behavior for a URL but not leaving it in for FTP. FTP has legit uses of this, URLs don't. This post was edited by Cthulhu on Wednesday, January 28, 2004 at 17:16. |
| #4 By 135 (208.186.90.168) at 1/28/2004 5:58:33 PM |
| How does the @ symbol obscure the website? |
| #5 By 2459 (24.175.137.164) at 1/28/2004 6:47:10 PM |
|
#5 It doesn't if you know what you're looking for, but most users don't.
http://www.cnn.com%01@www.activewin.com Takes you to activewin's page. The average user would think it took them to cnn. Usually, spoofers make pages that look like the page you think you're going to and include the link in an email, etc. You think you're on the legit site instead of the spoofed site, so you may be inclined to give personal out info, etc. This post was edited by n4cer on Wednesday, January 28, 2004 at 19:01. |
| #6 By 12071 (203.185.215.149) at 1/28/2004 6:53:24 PM |
|
#4 ALL (read: every single) URL has a legitimate reason for having the '@' symbol in it, that's the way URL's were designed, and here's Microsoft coming through again to screw up another standard! Rather than fixing the actual problem their solution is to remove the '@' symbol altogether, morons!
ftp://user:password@ftp.microsoft.com is just as valid as http://user:password@www.microsoft.com and there are some (although not many) websites that are protected (i.e. access limited) in this exact way. |
| #7 By 116 (24.173.215.234) at 1/28/2004 7:08:17 PM |
|
Thats until you see something like this:
http://www.bankofamerica.com?ajdkajfkl&query=&asdfasdf&asdfasdf@www.evilhackerwebsite.com/stealcreditcardnumber/ Most people are used to seeing websites with a lot of gobbeldy gook in the address bar. They ignore this content and never read it. Yeah the @ is a part of the standard but in the interest of protecting people's safety online this is the correct solution. FTP is the same deal, you could trick someone using the same device. The only solution I can see is changing the username and password to go at the end. |
| #8 By 2459 (24.175.137.164) at 1/28/2004 7:13:13 PM |
| BTW, I think this issue may be fixed in SP2. Unless I missed something, I can still see the full URL in the status bar. |
| #9 By 3339 (64.160.58.135) at 1/28/2004 8:39:54 PM |
| This comment has been removed due to a violation of the Active Network Terms of Use. |
| #10 By 12071 (203.185.215.149) at 1/28/2004 10:00:29 PM |
|
#9 Nope, that URL that you gave is perfectly fine. You stuffed up by putting '?' before the '@' which is not allowed by the standard. If you would like to see the standard have a look here:
http://www.w3.org/Addressing/rfc1738.txt "Yeah the @ is a part of the standard but in the interest of protecting people's safety online this is the correct solution. " No this is a moronic solution which breaks the standard. There would be numerous ways of handling this (ie letting the user know what's going on) without breaking the standard. This isn't the correct solution, this is the lazy solution. And you honestly wonder why people complain about Microsoft continually breaking standards! #11 "The standard also used to be that you could mail any attachment and recieve any attachment in Outlook and Outlook Express." The STANDARD is that you CAN email and receive any attachment in ANY email application that adheres to the standard! The standard DOES NOT state that the attachment should be automatically executed including any scripts etc, THAT was Microsoft own ingenious idea which has come back to bite them on the arse! "Microsoft was right to change that for the safety of its less educated users." Microsoft didn't change the standard!!! They just changed their own little ingenious idea of automatically executing attachments and put a ban on "dangerous" filetypes incase the user might want to double click on the attachment! "It is right to change this standard." No it is not. Fix the problem rather than modifying the standard! "Switch to a less secure browser if you want to." Nothing is LESS secure than IE! Latest IE Bug: http://www.infoworld.com/article/04/01/28/HNiehole_1.html http://www.secunia.com/advisories/10736/ I can just imagine the patch for this - No file downloads will be allowed from web pages. After all, we have to do everything possible to protect people's safety! #14 "And remember, it is mostly Unix mail servers transporting all the viruses throughout the internet." Prove it! All the latest 'viruses' have all targeted Exchange Servers and Outlook users! "I think Microsofts solution is an excellent solution." There's a suprise! This post was edited by chris_kabuki on Wednesday, January 28, 2004 at 22:29. |
| #11 By 12071 (203.185.215.149) at 1/28/2004 10:28:49 PM |
|
#16 You are absolutely correct. It seems that everyone has been using the common syntax rather than the individual rules depending on the scheme selected:
While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data: //<user>:<password>@<host>:<port>/<url-path> Some or all of the parts "<user>:<password>@", ":<password>", ":<port>", and "/<url-path>" may be excluded. The scheme specific data start with a double slash "//" to indicate that it complies with the common Internet scheme syntax. |
| #12 By 3653 (209.149.57.116) at 1/29/2004 12:06:36 AM |
| http://kabuki:suck@egg.com/ |
| #13 By 12071 (203.185.215.149) at 1/29/2004 12:29:40 AM |
|
#18 Guess we both learnt something after all then =)
#19 No I don't want to transfer my store card balances to Egg Card, even if they are offering 0% until 1st of July, but thanks anyway. |
| #14 By 3339 (64.160.58.135) at 1/29/2004 3:14:51 PM |
|
"There is no evidence the viruses have targetted exchange. They are just standard email with attachments."
Hilarious! Standard emails with attachments designed to harvest contact info from Exchange. Standard emails with attachments which do not affect Sendmail or other email servers or apps. Standard emails with attachments that only affect MS's systems. But they don't target exchange. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 315 Last | Next |
The time now is
4:28:53 PM
ET.
Any comment problems? E-mail us |
