Marco Trova's weblog

Italian .NET life

Internet Explorer is getting worse day by day..

"Marco, one user reports that he can't connect to our sister site with his credentials. He has just installed security patch (MS04-004) from Microsoft.."

The knowledgebase article says:

The following URL syntax is no longer supported in Internet Explorer or in Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894):
http(s)://username:password@server/resource.ext

This article is intended to notify you of this change in the default behavior of Internet Explorer. If you include user information in HTTP or HTTPS URLs, Microsoft recommends that you explore the workarounds that are described in this article before you install the 832894 security update. For additional information about the 832894 security update, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp

"Yes, that patch has broken our small SSL Single Sign on system!"

Our site was designed with standards in mind (RFC 2617), to support even Netscape 4.x browsers, multiple platforms..

But now, a web site was dependent from a client behaviour.. Wonderful, but unnatural..

Mozilla, Firefox, Opera, Netscape continue to support this standard.. (have you seen how much is fast Firefox?)

IE has not been updated by ages but instead it loses features along the road: I call it a downgrade..

Years of development must be re-thinked..

Any ideas on a small, simple single sign-on system?

Posted: Mar 06 2004, 05:29 PM by trovam | with 8 comment(s)

Comments

Damian said:

Embedding the username and password in the URL was never part of the RFC. In fact, the RFC explicitly states that this shouldn't be happen.

So, IE is getting more standards compliant by the day :)
# March 6, 2004 11:42 AM

David Cumps said:

IE follows the standard now ;)

But if you want it back (like I did), here's a solution:
http://weblogs.asp.net/cumpsd/archive/2004/02/07/69366.aspx
# March 6, 2004 12:05 PM

Marco Trova said:

But if all browsers support it, for me it is a standard "de facto"..

For the solution.. How can I tell to my 60.000 users: "Hey, you have to install a small registry patch to navigate on my site!"
# March 6, 2004 12:11 PM

senkwe said:

>> But if all browsers support it, for me it is a standard "de facto".. <<

Be careful what you wish for. By that logic, since 90% of the worlds desktops run Windows, all related MS desktop technologies should be considered "defacto standards". I'm sure you don't want that :-)
# March 6, 2004 12:51 PM

denny said:

So Marco you made a choice to use something without thinking about it....

and like a lemming you ran off the edge of a cliff that was in plain view the whole time...

and now you are upset at ms for fixing a bad option.

sorry Marco but to me this is right along side suing the fast food place for serving "Hot" coffie cause you spilled some and got burned.


how does that work?

simple

if you request a password protected "thing" by placing the username and password
IN PLAIN SITE
In PLAIN TEXT
ACCROSS THE INTERNET

then why bother with having a password at all?

look around Marco....

who uses Telnet today?
any UNIX / LINUX sites use SSH
in place of Telnet and FTP.

same idea: TELNET and FTP are not secure and use plain text for passwords ....

Why does Microsoft and many others tell folks to use forms authentication only on a web page that uses SSL?
same reason....

sorry if this seems hard for you....
but I would for one not trust a site using the
foo:bar@domain

do an ssl forms auth and tell the users you have made the site more secure....

deal with it.

and think about this stuff before you design a security system.
# March 6, 2004 3:11 PM

Marco Trova said:

denny, that authentication was in Basic Authentication for about five years..
When you come and you try to change these things, you can't throw out the window all applications made in five years..
this patch has broken our plans to upgrade, to make better security.. in a manner that you can't recover from..

denny, security is not a choice about only on technology.. :-P
# March 6, 2004 5:58 PM

denny said:

normal basic auth uses a popup where the browser at least tries to hide the password from any one standaing around or who uses the web client later.

the url + password leaves the info in plain sight for any 7 year old to find.

it was a bad idea from day one.

frankly I am suprised that anyone even used it.

and at least with "basic" as is normaly used it can be done via https/ssl so that it's sent with ssl protection.

but when you use the url you create a target.
any trojan, snoop... or casual semi-hacker can go to the history and read the user + password + site name when it's entered in a url.

and I think that saying "you can't throw out the window all applications made in five years"

is silly unless every app written depended on this goofy way of authenticating users.

do you mean that you wrote at least 1 app every year that did this?

hey what ever..... sorry for you it's a pain.
move on.... get with the times...
PS: "in a manner that you can't recover from.. "
?Huh? so they have to enter a password now?
and you have to add a normal login process?
thats not something you can "recover from" ?
nuff said....
# March 6, 2004 7:00 PM

Marco Trova said:

danny, that choice wasn't made by me: my work is to plan an upgrade from this situation.

This type authentication is used only by a fraction of my users, coming from a WLAN, ie from an intranet: a simple single sign on..

But now, with the patch applyed what can we do?

But read this article: http://support.microsoft.com/default.aspx?kbid=281408
It still suggets to use this method..
# March 7, 2004 11:57 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)