Microsoft to break Internet Explorer’s handling of some URLs to improve security.
A web browser’s URL can encode a username and a password, using a URL that looks like this:
http(s)://username:password@server/resource.ext
Unfortunately, it turns out that numerous hackers have discovered that you can create a URL that looks like this:
https://www.paypal.com.................
...........................
..........................
..............................
........:....... @badserver.com/
and most people won’t see the periods and will, instead, think that they are logging into the Paypal server.
This Microsoft Knowledgebase article gives warning that “Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs.”
The software will be released through Windows Update, which means that it will be picked up very fast. Of course, this patch also means that Microsoft will be breaking some customer URLs.
Important points here:
1. The user:password@host syntax never really caught on. Instead, cookie-based authentication did, as did browsers caching usernames and passwords, so most people won’t be adversely affected.
2. It’s interesting that Microsoft is increasing breaking features to improve security.
3. You should be paying attention to the fact that Microsoft now has this interesting ability to change software out in the field. So far they’ve only used this power for security updates. This is one of the first times that they’ve used it to remove a working feature.
Keep Reading
Most Popular
Large language models can do jaw-dropping things. But nobody knows exactly why.
And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.
The problem with plug-in hybrids? Their drivers.
Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.
Google DeepMind’s new generative model makes Super Mario–like games from scratch
Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.
How scientists traced a mysterious covid case back to six toilets
When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.