InfoWorld reports on Microsoft's change in how IE handles usernames and passwords in URLs. Until this change, you could use urls like this:
http://username:password@www.site.com/
Granted, this isn't super secure. The username and passwords are passed in clear text, making it easy pickings for anyone who really wants access to you site (and knows what they are doing). Rather, the method is best used as a deterrent to keep out prying eyes.
The method was pretty useful. I've used it to send URLs to clients for our password-protected client site. But, the technique has be abused by spammers to create URLs that look like they're coming from legitimate sites (e.g., http://www.amazon.com@www.evil.com/). And I've been seeing some pretty creative spam in my inbox, including ones that look like Amazon order confirmations and Earthlink tech support instructions. Nasty stuff, and I won't mind if those go away.
Posted by Karl
January 29, 2004 04:17 PM