Marco Trova's weblog

Italian .NET life

Mozilla developers smarter than IE developers

Ian Bicking on his blog:

The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).

This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).

 

Posted: May 11 2004, 07:35 PM by trovam | with 11 comment(s)

Comments

kpako@yahoo.com (Dare Obasanjo) said:

Sending usernames and passwords in clear text over HTTP, especially in the URL of the HTTP GET request is so ridiculously insecure I can't believe anyone actually put that in an RFC without it being an April 1st joke.
# May 11, 2004 1:46 PM

Marco Trova said:

Post talks about the style how this solution was implemented, not what it was resolved.
# May 11, 2004 1:57 PM

Jerry Pisk said:

Marco, the problem is that those URLs do not follow standards and if Mozilla builds itself as a standard compliant browser then it should not be sending user names and passwords in URLs. Mozilla developers are not smarter, they're just ignorant.
# May 11, 2004 2:55 PM

Larry Osterman said:

I agree with Jerry - I thought that one of the big things that the Mozilla people were always harping on is how much more standards-compliant their browser is than IE.

Well, they're purposely introducing non-standard behavior with this fix.

And do you really believe that Aunt Tilly (or Abby) will understand that www%2emicrosoft%2ecom really doesn't go to microsoft.com?

They see all sorts of wierd url encodings in the command line, people tend to ignore them.

Better to cut the bad behavior off before it starts.
# May 11, 2004 3:12 PM

Marco Trova said:

I agree with all of you, but I have to comment about how different is the approach to solve the problem.

Mozilla developers have at least started a discussion how to solve the problem.

Bug 240754 comments tells this is not the solution of bug, but only shows these _wrong_ types of URLs in an encoded format.
# May 11, 2004 3:24 PM

Jerry Pisk said:

Marco, you don't get the point - the only problem there is that there are browsers that allow you to specify user name and password in a URL, which is breaking the standards. Encoding those is not a solution, removing the functionality is the solution. It should've never been there.
# May 11, 2004 5:20 PM

Marco Trova said:

If it is not a RFC standard, it was implemented for years in ALL browsers.. Developers has been using this hack for years. Right or no, this patch has broken those wrong web applications.

We, developers, that have to mantain these bad developed web application we have to explain to our customers that a Microsoft patch has broken their work. :-S

The solution could had be different, I think. Only this.
# May 12, 2004 4:46 AM

Jerry Pisk said:

So you're saying that no matter what Microsoft does they're always going to be wrong. If they follow standards they're wrong, if they don't follow them they're wrong as well.

If you're going to argue that they should do what majority does then you should apply it both ways, Mozilla should do what majority of browsers used does, such as support ActiveX (which they do, it's just not as simple and secure as with IE), render pages that are not standard HTML, render invalid CSS, implement broken box model for transitional HTML and so on...
# May 12, 2004 3:07 PM

TrackBack said:

^_^,Pretty Good!
# April 9, 2005 11:28 PM

Mozilla developers smarter than IE developers said:

Pingback from  Mozilla developers smarter than IE developers

# November 26, 2007 2:16 AM

William Evans said:

If Mozilla is so smart, WHY did the new version COMPLETELY DIE ON ME? Nothing works now!!

# December 24, 2008 9:39 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)