[thelist] Now, about that critical security patch for IE on Windows...

Mark Kennedy mark at eurogamer.net
Mon Feb 16 05:41:05 CST 2004


Hi List,

I don't know if this has been brought up during the discussion of the patch, but
reading the release notes, I saw this:

"This Internet Explorer cumulative update also includes a change to the
functionality of a clear-text authentication feature in Internet Explorer. The
update removes support for handling user names and passwords in HTTP and HTTP
with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet
Explorer. The following URL syntax is no longer supported in Internet Explorer
or Windows Explorer after you install this software update:

http(s)://username:password at server/resource.ext"

At about the same time, I received a barrage of emails from clients who had been
sent automated emails containing links with usernames and passwords in said
format.  I don't want to get involved in discussing the security implications of
me using this feature -- it was only used as a convenience for low security
guest accounts.

Nevertheless, it's a bit of a nuisance that they've now disabled this feature in
IE (although I believe it can be turned back on the preferences page) and I
thought I'd bring it up in case it impacts any body else in the same way.

Regards

Mark




More information about the thelist mailing list