Curiosity is bliss    Archive    Feed    About    Search

Julien Couvreur's programming blog and more

Upcoming fix for IE url spoofing bug


Over a month back a security bug was discovered in IE that allows the address displayed in IE to be different for the actual address. Here is a description and demo of the spoof attack.

Apparently, the upcoming fix includes dropping the http://user:pwd@domain/ url format support.
This is a radical "fix" and the response by security experts (mentioned in the article) was surprising. This format isn't the root cause for the specific bug and the "fix" is going to break stuff (not to mention IE's support for standards).
In any case, I hope they correct the bug that caused the end of the url (following the %01 character) not to be displayed in the first place.

User:Pwd@Domain format:
The problem with this url format (user:pwd@domain:port) is it confuses most end-users, who don't understand it. And the url can be obfuscated even further if the domain is an IP address in decimal format (as mentioned on slashdot at least a year back).
Another factor is that this is a pretty insecure format to transmit credentials. It probably stays in the browser's history and can be sniffed over non-secured connections.

Richard offers an alternative fix: hiding the user:pwd part in the address bar. But hiding stuff is also dangerous security-wise.
Here are two other ideas:

  • Color coding: Help the user understand the format by using syntax highlighting. If the username and password were in red and the domain was in bold, it would always be clear what domain is used.
  • Text boxes: Add two text boxes in addition to the address bar, for the username and password. They would only appear when you encounter a url of that type or if you activate them (via the View menu).

Update: Simon Willison's take on the fix, with interesting pointers to Microsoft's KB article and a related Mozilla bug (which actually already mentions both suggestions above).

Update: The fix is now available.

Update: Both RFC 1738 and RFC 2396 mention the "userinfo" part in the generic URL scheme.
But RFC 1738 then goes into the specifics of the HTTP URL scheme and it doesn't allow the username and password in the URL:

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.

An HTTP URL takes the form:


where <host> and <port> are as described in Section 3.1. If :<port> is omitted, the port defaults to 80. No user name or password is allowed. <path> is an HTTP selector, and <searchpart> is a query string. The <path> is optional, as is the <searchpart> and its preceding "?". If neither <path> nor <searchpart> is present, the "/" may also be omitted.

Within the <path> and <searchpart> components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.

Also, the BNF for specific URL schemes clearly allows the use of a username and password in the ftp scheme, but not for http.


RFC 1738 may not appear to permit user:passwd in the URL but 2396, which obviates most of 1738 mentions in section 3.2.2 that "URL schemes that involve the direct use of an IP-based protocol to a specified server on the Internet..." [which presumably includes HTTP] "use a common syntax for the server component of the URI's scheme-specific data: @:". So to me, there's no question but that the IE fix violates the standard.

Posted by: Richard Blaine (May 14, 2004 12:29 PM) ______________________________________

The Mozilla team implemented another fix:
The username and password need to be url-escaped, which should succeed in clearing any confusion betwen a username and a hostname.

Posted by: Dumky (May 14, 2004 03:02 PM) ______________________________________

This is not a "fix" or "solution" at all. Microsoft will break next standard and it will hit the techs and some parts of business as a whole.

Posted by: David Graf (August 1, 2004 09:21 AM)
comments powered by Disqus