Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs

Remember that earlier post about Internet Explorer URLs not always pointing where they seem? MS is taking an interesting approach to closing up this security hole: they plan on disabling support for URLs containing user information. To me, this seems likely to add confusion, especially for users who don't really have an in-depth understanding of the world of protocols, URIs, domains and logons.

If this had been my hot potato to handle, I would have opted for a different solution: Make IE launch a warning dialog by default when navigating to a username:password@server/page.ext -style URL. The warning dialog would clearly show the server/domain name, the resource name, etc. Ideally, spam-blocking databases could be extended to store information on Phishing scams and the domains used to host illegitimate logon pages. IE could connect to such a database over a web service and show a different (more alarming looking) warning in response.

Nah... that would be too elegant.

MSKB Reference: Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs