Simon Willison’s Weblog

No more usernames in URLs

30th January 2004

This one could get very interesting. Microsoft have announced that an upcoming update to Internet Explorer will remove the ability to include usernames in URLs completely. This is in response to the growing problem of so called “phishing” scams, which use trick URLs to con important information such as passwords and credit card details out of unsuspecting browser users.

Phishing is big business. In this article on SecurityFocus, a loose transcript is provided of a talk by an FBI agent who explains how phishing is used by organised crime gangs in Eastern Europe:

This is bad enough and it’s also cruelly funny, but the scary part came in when Dave started talking about the other group behind the explosion of viruses and Trojans: Eastern European hackers, backed by organized crime, such as the Russian mafia. In other words, the professionals.

These people are after one thing: money. The easiest way to illegally acquire money now is through the use of online tools like Trojans, or through phishing: set up a fake Web site for PayPal or eBay or Amazon, and then convince the naive to enter their usernames, passwords, and credit card information. Viruses and spam also intersect in this nasty spiderweb. Viruses help spread Trojans, and Trojans are used to turn unsuspecting users’ computers into spam factories, or hosts for phishing expeditions, and thus furthering the spread of all the elements in this process: viruses, Trojans, spam, and phishing. It’s a vicious cycle, and unfortunately, it appears to be getting worse. The FBI is working as hard as it can, but the nations of Eastern Europe are somewhat powerless to solve the problem at this time.

IE is so susceptible to this kind of attack that it’s not even funny. In addition to the “invisible username” bug I covered last month, a recent discovery compounds the problem by allowing dangerous executable files to pose as safe file types when downloaded from the web. New Explorer hole could be devastating has the full details.

Microsoft’s solution is drastic to say the least. Passing the username as part of a URL has been part of the makeup of the internet since at least 1994, and the ability is baked in to a huge range of web client and server software. It’s described in RFC 23996. The feature is rarely used however, and the overall effect of its removal from IE is hard to judge. Off the top of my head I can think of only one site that uses it for legitimate reasons: FilePlanet, which incorporates it in to the site’s download queuing system (at least last time I checked).

There’s an interesting contrast to be made here between open and closed development methodologies. The Mozilla project has had a bug open on this issue for over two years, which has drawn over 170 comments with plenty of great ideas but no approved solution. Microsoft on the other hand have remained silent on the issue until (we can only assume) the bad publicity surrounding it forced them to act, at which point they announced a fix that appears to gly in the face of commonly accepted web standards—but does undoubtedly solve the problem. Of course, with no chance for user feedback prior to the decision it amounts to little less than a decree from God—which correlates directly to their inarguable domination of the browser market, at least in terms of market share.

Of course, the millions of IE users who decline to upgrade their browser will remain just as susceptible as they always were (unless they stop clicking links)—a fact for which we can hardly blame Microsoft. It does however mean that phishing will remain a lucrative scam for a long time to come.