Rupert Goodwins' Diary

Wednesday 4/2/2004
Microsoft's latest IE patch is patchy. So users tell us   -- the magic to stop information hiding in URLs past the @ sign only works if you haven't got much else installs that uses Internet Explorer. It's also not quite true for Microsoft to say that the patch itself -- which merely rejects URLs with @ in -- is acceptable because nobody uses such things legitimately.

Which just ain't so. The syntax lets you include username and password in a URL, so http://fred:bloggs@bionichamster.com -- which isn't very secure, but it's a powerful way to give non-technical users limited access to resources. I run an FTP server and use it a lot to send huge files -- pictures, PDFs and the like -- to people whose mailboxes wouldn't cope with the impact of a few megs, and who aren't comfortable with logging in. Just create an account for them, invent a password, roll an FTP URL and slam it off: all matey has to do is click and download, and the file is theirs. It doesn't matter if someone intercepts the URL; after the file's been transferred I just delete the account, and it's only got read access to a single directory anyway. No, you wouldn't use it for many purposes -- but half the trick of security is finding the appropriate solution to each problem.

Now I can't do that, not because there's an inherent flaw in the idea but because one implementation is wonky. Now MS has poisoned the whole business: even if they fix IE in the future to deal with the problem properly, there'll be an unknown number of users out there with browsers that just won't work.

One more little trick that made the Net our own removed, and for no good reason. Gah, I say.