Skip to Content
Uncategorized

Microsoft to break Internet Explorer’s handling of some URLs to improve security.

A web browser’s URL can encode a username and a password, using a URL that looks like this:http(s)://username:password@server/resource.extUnfortunately, it turns out that numerous hackers have discovered that you can create a URL that looks like this:https://www.paypal.com…………………………………….. …………………….. ………………………… ……..:……. @badserver.com/and…

A web browser’s URL can encode a username and a password, using a URL that looks like this:


http(s)://username:password@server/resource.ext


Unfortunately, it turns out that numerous hackers have discovered that you can create a URL that looks like this:


https://www.paypal.com.................
...........................
..........................
..............................
........:....... @badserver.com/


and most people won’t see the periods and will, instead, think that they are logging into the Paypal server.

This Microsoft Knowledgebase article gives warning that “Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs.”

The software will be released through Windows Update, which means that it will be picked up very fast. Of course, this patch also means that Microsoft will be breaking some customer URLs.

Important points here:

1. The user:password@host syntax never really caught on. Instead, cookie-based authentication did, as did browsers caching usernames and passwords, so most people won’t be adversely affected.

2. It’s interesting that Microsoft is increasing breaking features to improve security.

3. You should be paying attention to the fact that Microsoft now has this interesting ability to change software out in the field. So far they’ve only used this power for security updates. This is one of the first times that they’ve used it to remove a working feature.

Keep Reading

Most Popular

The inside story of how ChatGPT was built from the people who made it

Exclusive conversations that take us behind the scenes of a cultural phenomenon.

How Rust went from a side project to the world’s most-loved programming language

For decades, coders wrote critical systems in C and C++. Now they turn to Rust.

Design thinking was supposed to fix the world. Where did it go wrong?

An approach that promised to democratize design may have done the opposite.

Sam Altman invested $180 million into a company trying to delay death

Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.