[Sussex] (OT)IE and url handling
Jon Fautley
jon at geekpeople.net
Thu Jan 29 09:40:56 UTC 2004
dominic.clay at btopenworld.com wrote:
>834489 - Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs:
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489
>
>What do you think of this? Is it making systems safer, or does it break a Specification (RFC)????
>
>
There's a lot of discussion of this over on the full-disclosure mailing
list. Personally, it doesn't really bother me, as I don't use IE that
much, and I almost never use it for logging into .htaccess restricted
sites and NEVER use it for FTP.
Does it break RFC? Who knows... i've not read the RFC's in question.
However, it wouldn't suprise me if it did - but then again, Microsoft
really don't care about RFC's... just look at Exchange and it's totally
broken POP3 server (and probably SMTP/IMAP server too)
The whole reason for this change is to stop people forming URLs that
look like the following:
http://www.microsoft.com/linux/products/officeforlinux.aspx@www.badsite.com/fakems/randomnews.html
Which makes it look like you're going to microsoft.com, but really
you're going to www.badsite.com.
Mozilla gets round this a nice, simple way.. it warns you of what's
happening and says you're actually going to www.badsite.com and then
checks if you actually want to go there. Simple. Doesn't annoy anyone -
a very 'Mozilla-ish' thing to do.
Microsoft can only do what they know how to do - break random standards
and annoy it's customers.
Jon
More information about the Sussex
mailing list