[Sussex] (OT)IE and url handling

Jon Fautley jon at geekpeople.net
Thu Jan 29 09:40:56 UTC 2004


dominic.clay at btopenworld.com wrote:

>834489 - Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs:
> 
>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489
>
>What do you think of  this?  Is it making systems safer, or does it break a Specification (RFC)????
>  
>
There's a lot of discussion of this over on the full-disclosure mailing 
list. Personally, it doesn't really bother me, as I don't use IE that 
much, and I almost never use it for logging into .htaccess restricted 
sites and NEVER use it for FTP.

Does it break RFC? Who knows... i've not read the RFC's in question. 
However, it wouldn't suprise me if it did - but then again, Microsoft 
really don't care about RFC's... just look at Exchange and it's totally 
broken POP3 server (and probably SMTP/IMAP server too)

The whole reason for this change is to stop people forming URLs that 
look like the following:

http://www.microsoft.com/linux/products/officeforlinux.aspx@www.badsite.com/fakems/randomnews.html

Which makes it look like you're going to microsoft.com, but really 
you're going to www.badsite.com.

Mozilla gets round this a nice, simple way.. it warns you of what's 
happening and says you're actually going to www.badsite.com and then 
checks if you actually want to go there. Simple. Doesn't annoy anyone - 
a very 'Mozilla-ish' thing to do.

Microsoft can only do what they know how to do - break random standards 
and annoy it's customers.

Jon




More information about the Sussex mailing list