Forum Chat

Mar23,13:31 Johan Marechal
Wees gegroet
Sep20,17:50 Vicente Duque
Kim, Martin, Others :...
Jul07,11:10 Johan Marechal
Jul05,21:13 martin
Fastest in the bush
Jul05,07:48 martin
Jun28,21:16 martin
New domain / new blog!
Jun28,21:11 martin
On posting etiquette

Send the Dummies to the Registry

Comment on this article

This you have to see to believe. The saga goes as follows. First, there's a problem in Internet Explorer that allows phising scams on a large scale. That is, you can construct URLs looking as if they go to one site, while actually going to another site, and you can create this impression by using the '@' character and a few control characters in the URL. The problem is that IE does not display the rest of the URL after those control characters.

So what does Microsoft do? Well, of course they fix the bug that makes control characters muck up the display of the URL. Right. Sure... or...? No, instead, in a genius stroke of creativity, they decide not to allow username/passwords in URLs anymore! I really don't know if these username/password things in URLs are a standard or not, but they're in fairly wide use and there's actually no workaround for just dropping them. MickeySoft in their infinite wis... something... sent this modification out as a security patch in february.

It didn't take long for a lot of people to let out screams of anguish, so MS backtracked. On february 17th, 2004, they published how you can convince your browser to accept these URLs anyway. You can find the description of it in the knowledgebase article 834489. In short, what it says is to add the following keys to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE "iexplore.exe"=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE "explorer.exe"=dword:00000000

Who is the user?

Now think about this for a minute. When do we use URLs in our links with a username and password embedded? Well, I for one, do it only when I think the user is too lazy or too simpleminded to be able to handle an authentication dialog box on his/her own. I really want them to go through an authentication barrier with the absolute minimum of hassle.

Now MickeySoft tells us that the only thing we need ask these lazy or simpleminded users of ours to do is to enter these two registry entries that require searching through the registry after a particular unintuitive key and then add two double word hex entries exactly the right way. This whole process actually demands more dexterity and intellectual acuity than 90% of the human race posesses. But we're not expecting this of an average sample of the human race, but of the lower half of that sample (or we wouldn't have gone to the length of pre-formatting in the username and password into the URL, would we?)

From what fricking planet are these MickeySoft guys? (Actually, there's still hope: most of the people that need these embedded username/passwords won't be able to update the registry if they ever find it, and they won't bother updating their systems either. So they can go on using the embedded URLs. And be phised to their heart's content.)

Comment on this article