The IE Patch (MS04-004) demystified

Many people have asked what the scoop is on the recent IE update- and why did Microsoft disable passwords over HTTP? First, the change only affects URLs of the type:

https://username:password\@www.microsoft.com

Now, one thing many people are not aware of, is this format is not a supported URL format, as per the RFC 1738:

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources
accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only
describes the syntax of HTTP URLs.

An HTTP URL takes the form:

https://<host>:<port>/<path>?<searchpart>

In fact, in my very first book, “Designing Secure Web-Based Applications for Microsoft Windows 2000“ I made a comment about the username:pwd format:

Please also note that this method has been tested in Internet Explorer 5 and Netscape Navigator 4.7, but that there's no guarantee it will work in any other browser.

Next, the change in MS04-004, does not affect people building apps that embed an identifier in the querystring. And finally, it does not affect the FTP case, where username:pwd is totally valid.

You should also read the KB article about this, as it includes a registry key if you wish to enable the username:pwd format for HTTP.