Microsoft is dropping support for including authentication information in URL's, of the style http://username:password@server/... This comes after a recent vulnerability found in Internet Explorer that allows miscreants to display fake URL's in the address bar, the fix for which was released yesterday.
I'm in favor. Very few people use this feature, and it's mostly just a hazard. By removing support for this, I no longer feel like I have to tell strangers on the street to watch out for web addresses that look like http://www.bankofamerica.com@127.0.0.1/ when they receive email that looks like it comes from Bank Of America.
The flaw that allowed the URL to be obscured in the address bar was exceptionally serious. After following a strange link, the URL is the only reassurance you have that you're actually browsing a website you can trust. The trick URL above actually goes to 127.0.0.1, not to www.bankofamerica.com, and a bad guy could set up a site at that address that looks enough like BofA to get you to enter your account number, SSN and password. If the flaw can be exploited to make the address look like "http://www.bankofamerica.com/", then not even someone saavy to this trick would be able to tell if the site is real. I still believe organizations such as banks should not expect or encourage customers to click on links in emails, and I wonder if the technology (web or email) will ever be safe enough to reverse that position.
This recently actually happend to me. I received an email from a bank that I do not belong to. I was curious and followed the link to the site (checking the URL in the Status bar as usual). The site asked for my password, which I knew was a bad sign. The URL looked fine though untill it dawned on me that it had like 100 "." (periods) at the end. Sure enough, scrolling to the right and the address bar led me to the hoax.
I didn't know that Microsoft was getting rid of this...