PIE (and IE) bug with URL non-compliant with RFC 1738

i don't understand why PIE (and IE too, by the way) accepts URL's like
http://1113332805 which, according to RFC 1738, are not legal syntax.

try http://1113332805 on any Pocket PC or Smartphone (or on your desktop),
and you'll see that it goes somewhere.

where does it go? well, i have not investigated the exact location of this
server, but i know it is used by scammers/phishers, as you can see here:
http://1113332805/.us/cgi-bin/

this PIE/IE bug is exploited by scammers, so MSFT, by not fixing it, is
playing their game...

Werner
Fri Jul 21 06:41:27 CDT 2006

It's (any URL without dots inside) an intra-network address. Upon
encountering URL's like this, PIE tries to use the connection parameters
used in the Work connection group.

--


--
Werner "Menneisyys" Ruotsalainen - Microsoft MVP - Windows - Mobile Devices
Please see the Pocket PC Mag Expert Blog (including mine) at
http://www.pocketpcmag.com/blogs/ - you will definitely like it.


"The PocketTV Team" <support@pockettv.com> wrote in message
news:e7KPSRLrGHA.3412@TK2MSFTNGP02.phx.gbl...
>i don't understand why PIE (and IE too, by the way) accepts URL's like
>http://1113332805 which, according to RFC 1738, are not legal syntax.
>
> try http://1113332805 on any Pocket PC or Smartphone (or on your desktop),
> and you'll see that it goes somewhere.
>
> where does it go? well, i have not investigated the exact location of
> this server, but i know it is used by scammers/phishers, as you can see
> here: http://1113332805/.us/cgi-bin/
>
> this PIE/IE bug is exploited by scammers, so MSFT, by not fixing it, is
> playing their game...
>
>
>

The
Fri Jul 21 07:15:54 CDT 2006

"Werner "Menneisyys" Ruotsalainen [MVP - Windows - Mobile Devices]"
<!ei.maileja@kiitos!> wrote in message
news:%23bROkqLrGHA.4348@TK2MSFTNGP02.phx.gbl...
> It's (any URL without dots inside) an intra-network address. Upon
> encountering URL's like this, PIE tries to use the connection parameters
> used in the Work connection group.

i don't have any intra network setup, yet this URL leads to some scammer's
server somewhere around the planet.

where do you see in RFC 1738 that URL can have a server with no dot?

this is not allowed by the standard.

so are you saying that MSFT made a proprietary extension to the internet URL
standard (RFC 1738), and that scammers and spammers are taking advantage of
this extension?

by the way, can you tell me the IP address of the site that you reach when
you go to http://1113332805 ?

the fact the the site is reached but that it's IP and real domain name is
not displayed by PIE (and IE) is, in itself, a security issue.

> --
>
>
> --
> Werner "Menneisyys" Ruotsalainen - Microsoft MVP - Windows - Mobile
> Devices
> Please see the Pocket PC Mag Expert Blog (including mine) at
> http://www.pocketpcmag.com/blogs/ - you will definitely like it.
>
>
> "The PocketTV Team" <support@pockettv.com> wrote in message
> news:e7KPSRLrGHA.3412@TK2MSFTNGP02.phx.gbl...
>>i don't understand why PIE (and IE too, by the way) accepts URL's like
>>http://1113332805 which, according to RFC 1738, are not legal syntax.
>>
>> try http://1113332805 on any Pocket PC or Smartphone (or on your
>> desktop), and you'll see that it goes somewhere.
>>
>> where does it go? well, i have not investigated the exact location of
>> this server, but i know it is used by scammers/phishers, as you can see
>> here: http://1113332805/.us/cgi-bin/
>>
>> this PIE/IE bug is exploited by scammers, so MSFT, by not fixing it, is
>> playing their game...
>>
>>
>>
>
>

Tony
Fri Jul 21 08:08:49 CDT 2006

The PocketTV Team wrote:
> "Werner "Menneisyys" Ruotsalainen [MVP - Windows - Mobile Devices]"
> <!ei.maileja@kiitos!> wrote in message
> news:%23bROkqLrGHA.4348@TK2MSFTNGP02.phx.gbl...
>> It's (any URL without dots inside) an intra-network address. Upon
>> encountering URL's like this, PIE tries to use the connection
>> parameters used in the Work connection group.
>
> i don't have any intra network setup, yet this URL leads to some
> scammer's server somewhere around the planet.
>
> where do you see in RFC 1738 that URL can have a server with no dot?

Are you sure it's not a domain name, rather than a form of address?
There's nothing wrong with having a completely numerical domain name,
all it would take would be for the browser to automatically add ".com"
or whatever if the tld is missing, and you'd see what you're seeing.
The links don't go anywhere for me, on any of my browsers, maybe the
site's been taken down already, so I can't tell for sure.

Clint
Fri Jul 21 10:06:07 CDT 2006

AFAIK, the numeric URL is a decimal representation of the IP address.

http://www.livinginternet.com/i/iw_dns_alias.htm
http://www.pc-help.org/obscure.htm

You can also check out this translator:
http://www.islandgraphicart.co.uk/php/decimal.php3

Clint

"The PocketTV Team" <support@pockettv.com> wrote in message
news:O$dNp9LrGHA.1796@TK2MSFTNGP03.phx.gbl...
> "Werner "Menneisyys" Ruotsalainen [MVP - Windows - Mobile Devices]"
> <!ei.maileja@kiitos!> wrote in message
> news:%23bROkqLrGHA.4348@TK2MSFTNGP02.phx.gbl...
>> It's (any URL without dots inside) an intra-network address. Upon
>> encountering URL's like this, PIE tries to use the connection parameters
>> used in the Work connection group.
>
> i don't have any intra network setup, yet this URL leads to some scammer's
> server somewhere around the planet.
>
> where do you see in RFC 1738 that URL can have a server with no dot?
>
> this is not allowed by the standard.
>
> so are you saying that MSFT made a proprietary extension to the internet
> URL standard (RFC 1738), and that scammers and spammers are taking
> advantage of this extension?
>
> by the way, can you tell me the IP address of the site that you reach when
> you go to http://1113332805 ?
>
> the fact the the site is reached but that it's IP and real domain name is
> not displayed by PIE (and IE) is, in itself, a security issue.
>
>> --
>>
>>
>> --
>> Werner "Menneisyys" Ruotsalainen - Microsoft MVP - Windows - Mobile
>> Devices
>> Please see the Pocket PC Mag Expert Blog (including mine) at
>> http://www.pocketpcmag.com/blogs/ - you will definitely like it.
>>
>>
>> "The PocketTV Team" <support@pockettv.com> wrote in message
>> news:e7KPSRLrGHA.3412@TK2MSFTNGP02.phx.gbl...
>>>i don't understand why PIE (and IE too, by the way) accepts URL's like
>>>http://1113332805 which, according to RFC 1738, are not legal syntax.
>>>
>>> try http://1113332805 on any Pocket PC or Smartphone (or on your
>>> desktop), and you'll see that it goes somewhere.
>>>
>>> where does it go? well, i have not investigated the exact location of
>>> this server, but i know it is used by scammers/phishers, as you can see
>>> here: http://1113332805/.us/cgi-bin/
>>>
>>> this PIE/IE bug is exploited by scammers, so MSFT, by not fixing it, is
>>> playing their game...
>>>
>>>
>>>
>>
>>
>
>

xTenn
Fri Jul 21 11:08:28 CDT 2006


"The PocketTV Team" <support@pockettv.com> wrote in message
news:e7KPSRLrGHA.3412@TK2MSFTNGP02.phx.gbl...
>i don't understand why PIE (and IE too, by the way) accepts URL's like
>http://1113332805 which, according to RFC 1738, are not legal syntax.
>
> try http://1113332805 on any Pocket PC or Smartphone (or on your desktop),
> and you'll see that it goes somewhere.
>


Try do a ping -A on 1113332805. It does resolve to an address
(dsl092-028-069.sfo4.dsl.speakeasy.net [66.92.28.69]), and I am pretty sure
that is the mechanics at play here. It is not being taken as an address,
just a name for DNS to resolve.

hel
Fri Jul 21 12:42:49 CDT 2006

xT [Fri, 21 Jul 2006 12:08:28 -0400]:
>that is the mechanics at play here. It is not being taken as an address,
>just a name for DNS to resolve.

It's an IP#. Take 209.197.121.15 for example.
This is D1.C5.79.0F, or simply 0xD1C5790F which
is 3519379727. Do

http://3519379727/

http://0xD1C5790F/

or any of these

http://209.197.121.15/
http://40th.com/
http://www.40th.com/
http://40thfloor.com/
http://www.40thfloor.com/

and you wind up at the same machine. Or ping
them if you prefer. It's possible a browser
or other app may not want to process the address
in that form, but they all are the same machine.

The fastest would be a direct number (no dots),
then the 209.197.121.15 (faster by maybe a
few millionths of a second), then the domain
names, which always have to first be converted
to a number, either from a local DNS cache or
from a far away name server, such as your ISP's
DNS machines, which can take up to a second,
each and every time it has to use it. This
is the reason many PDAs get a "page not found";
they cannot resolve the domain name since they
don't have access to a DNS server (plug in your
local desktop machine as the WINS machine tends
to work, though). Yet PIE always finds the page
if given the 209.197.121.15 IP#, instead.

PIE may or may not understand dotless IP#s, just
like any other app may or may not. In the end,
PIE uses the raw number (no dots), just as all
IP apps ultimately do. There's no reason to
use http://3519379727/ or http://0xD1C5790F/
when http://209.197.121.15/ always works, and
is identical in every way.

--
40th Floor - Software @ http://40th.com/
iPlay : the ultimate audio player for mobiles
mp3,mp4,m4a,aac,ogg,wma,flac,wav, play+record
parametric eq, xfeed, reverb; all on a mobile

xTenn
Fri Jul 21 14:31:30 CDT 2006


<hel@40th.com> wrote in message
news:%234RTW0OrGHA.4512@TK2MSFTNGP04.phx.gbl...
> xT [Fri, 21 Jul 2006 12:08:28 -0400]:
> >that is the mechanics at play here. It is not being taken as an address,
> >just a name for DNS to resolve.
>
> It's an IP#. Take 209.197.121.15 for example.
> This is D1.C5.79.0F, or simply 0xD1C5790F which
> is 3519379727. Do
>


You are correct. I was not using a commercial browser when I tried it the
first time for validation. This brings up some changes I might need to
make... so thanks for the info.

The
Fri Jul 21 17:21:57 CDT 2006

"Clint" <nobody@nowhere.non> wrote in message
news:z36wg.123307$I61.24134@clgrps13...
> AFAIK, the numeric URL is a decimal representation of the IP address.
>
> http://www.livinginternet.com/i/iw_dns_alias.htm
> http://www.pc-help.org/obscure.htm
>
> You can also check out this translator:
> http://www.islandgraphicart.co.uk/php/decimal.php3
>
> Clint

yes, thanks for the link that describe this proprietary URL format
recognized by IE.

the problem is that format absolutely not in the Internet Standard that
defines legal UTL formats (RFC 1738).

and, as explained in http://www.pc-help.org/obscure.htm , this non-standard
extension is used by scammers and spammers to obfuscate the address of their
servers.

MSFT: bad, bad, bad idea to not stick to the internet standard (RFC 1738).

The
Fri Jul 21 17:25:14 CDT 2006

thanks, hel, i totally understand how it works.

i just don't see why MSFT supports this non-standard extension (not allowed
in RFC 1738), since it is mostly useful by scammers and spammers to
obfuscate their server names.


<hel@40th.com> wrote in message
news:%234RTW0OrGHA.4512@TK2MSFTNGP04.phx.gbl...
> xT [Fri, 21 Jul 2006 12:08:28 -0400]:
> >that is the mechanics at play here. It is not being taken as an address,
> >just a name for DNS to resolve.
>
> It's an IP#. Take 209.197.121.15 for example.
> This is D1.C5.79.0F, or simply 0xD1C5790F which
> is 3519379727. Do
>
> http://3519379727/
>
> http://0xD1C5790F/
>
> or any of these
>
> http://209.197.121.15/
> http://40th.com/
> http://www.40th.com/
> http://40thfloor.com/
> http://www.40thfloor.com/
>
> and you wind up at the same machine. Or ping
> them if you prefer. It's possible a browser
> or other app may not want to process the address
> in that form, but they all are the same machine.
>
> The fastest would be a direct number (no dots),
> then the 209.197.121.15 (faster by maybe a
> few millionths of a second), then the domain
> names, which always have to first be converted
> to a number, either from a local DNS cache or
> from a far away name server, such as your ISP's
> DNS machines, which can take up to a second,
> each and every time it has to use it. This
> is the reason many PDAs get a "page not found";
> they cannot resolve the domain name since they
> don't have access to a DNS server (plug in your
> local desktop machine as the WINS machine tends
> to work, though). Yet PIE always finds the page
> if given the 209.197.121.15 IP#, instead.
>
> PIE may or may not understand dotless IP#s, just
> like any other app may or may not. In the end,
> PIE uses the raw number (no dots), just as all
> IP apps ultimately do. There's no reason to
> use http://3519379727/ or http://0xD1C5790F/
> when http://209.197.121.15/ always works, and
> is identical in every way.
>
> --
> 40th Floor - Software @ http://40th.com/
> iPlay : the ultimate audio player for mobiles
> mp3,mp4,m4a,aac,ogg,wma,flac,wav, play+record
> parametric eq, xfeed, reverb; all on a mobile

Marc
Sat Jul 22 16:03:09 CDT 2006

The PocketTV Team wrote:
> i don't understand why PIE (and IE too, by the way) accepts URL's like
> http://1113332805 which, according to RFC 1738, are not legal syntax.
>
> try http://1113332805 on any Pocket PC or Smartphone (or on your desktop),
> and you'll see that it goes somewhere.
>
> where does it go? well, i have not investigated the exact location of this
> server, but i know it is used by scammers/phishers, as you can see here:
> http://1113332805/.us/cgi-bin/
>
> this PIE/IE bug is exploited by scammers, so MSFT, by not fixing it, is
> playing their game...
>
>
>

Thunderbird on Linux takes me to http://66.99.28.69

Clint
Mon Jul 24 08:42:40 CDT 2006

I don't know why you insist on blaming MS(FT?) for this. AFAIK, other
browsers work fine with that kind of addressing as well. Ping resolves to
the IP address as well, as does an nslookup. I don't have a linux machine
handy, but I suspect it will work just fine from there too.

To be perfectly honest, I'm not sure how a IP address of 66.92.28.69 is any
easier to decipher than 1113332805. Neither one is human-readable to
determine if it's a "good" address or a "bad" one.

Clint

"The PocketTV Team" <support@pockettv.com> wrote in message
news:%23w05SQRrGHA.4324@TK2MSFTNGP03.phx.gbl...
> "Clint" <nobody@nowhere.non> wrote in message
> news:z36wg.123307$I61.24134@clgrps13...
>> AFAIK, the numeric URL is a decimal representation of the IP address.
>>
>> http://www.livinginternet.com/i/iw_dns_alias.htm
>> http://www.pc-help.org/obscure.htm
>>
>> You can also check out this translator:
>> http://www.islandgraphicart.co.uk/php/decimal.php3
>>
>> Clint
>
> yes, thanks for the link that describe this proprietary URL format
> recognized by IE.
>
> the problem is that format absolutely not in the Internet Standard that
> defines legal UTL formats (RFC 1738).
>
> and, as explained in http://www.pc-help.org/obscure.htm , this
> non-standard extension is used by scammers and spammers to obfuscate the
> address of their servers.
>
> MSFT: bad, bad, bad idea to not stick to the internet standard (RFC 1738).
>

The
Mon Jul 24 18:01:01 CDT 2006

"Clint" <nobody@nowhere.non> wrote in message
news:k74xg.149744$S61.133719@edtnps90...
>I don't know why you insist on blaming MS(FT?) for this. AFAIK, other
>browsers work fine with that kind of addressing as well. Ping resolves to
>the IP address as well, as does an nslookup. I don't have a linux machine
>handy, but I suspect it will work just fine from there too.
>
> To be perfectly honest, I'm not sure how a IP address of 66.92.28.69 is
> any easier to decipher than 1113332805. Neither one is human-readable to
> determine if it's a "good" address or a "bad" one.

it's not a matter of being easy or hard to decypher.

it's a matter of implementing a perfectly well defined standard correctly
and accurately and sticking to it, rather than implementing poorely-thought
proprietary extensions that scammers take advantage of.

it is clear that MSFT is to blame here for not implementing correctly and
not enforcing the RFC 1738 standard for URL syntax recognized by PIE and IE.

riki
Mon Jul 24 19:58:08 CDT 2006

The PocketTV Team wrote:
> i don't understand why PIE (and IE too, by the way) accepts URL's like
> http://1113332805 which, according to RFC 1738, are not legal syntax.
According to RFC 1123 (section 2.1) this IS legal syntax

" The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax."

Riki

--
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/

E-business, however, is not the same as what we call the "dot com"
model. The dot com model is content for advertising. E-business is a
more robust form of catalogue and phone business, which has survived for
years and years before computers could count to 257.-- dasmegabyte
(2001-04-12)

Clint
Mon Jul 24 20:19:20 CDT 2006

If Linux OS's recognize the same addressing scheme, as someone else reported
Thunderbird on Linux does, wouldn't that imply that it's not a Microsoft
issue?

In any case, using a numeric representation of an IP address (whether it's
the standard dotted-decimal representation or a hexidecimal representation)
is the first hint that you should think twice about clicking the link.
Either one is just as easy or difficult to verify the validity/ownership.
For that matter, you can also use dotted-hexidecimal, or straight
hexidecimal representation, theoretically, if you want to be really
confusing. This site has some interesting information:
http://www.pc-help.org/obscure.htm. This newsgroup article also has some
interesting information:
http://groups.google.ca/group/mailing.unix.squid-users/browse_thread/thread/54cd7f06d8db6f10/8d83b3fc7ab484db?lnk=st&q=&rnum=2&hl=en#8d83b3fc7ab484db

As far as that goes, if I get any URL in an e-mail, I always check that the
URL shown is the same as the destination. It's very easy to create a <a..>
tag that shows one thing but takes you to a totally different site. And
none of this has ANYTHING to do with Microsoft.

Clint

"The PocketTV Team" <support@pockettv.com> wrote in message
news:el6qJU3rGHA.5032@TK2MSFTNGP02.phx.gbl...
> "Clint" <nobody@nowhere.non> wrote in message
> news:k74xg.149744$S61.133719@edtnps90...
>>I don't know why you insist on blaming MS(FT?) for this. AFAIK, other
>>browsers work fine with that kind of addressing as well. Ping resolves to
>>the IP address as well, as does an nslookup. I don't have a linux machine
>>handy, but I suspect it will work just fine from there too.
>>
>> To be perfectly honest, I'm not sure how a IP address of 66.92.28.69 is
>> any easier to decipher than 1113332805. Neither one is human-readable to
>> determine if it's a "good" address or a "bad"
>
> it's not a matter of being easy or hard to decypher.
>
> it's a matter of implementing a perfectly well defined standard correctly
> and accurately and sticking to it, rather than implementing
> poorely-thought proprietary extensions that scammers take advantage of.
>
> it is clear that MSFT is to blame here for not implementing correctly and
> not enforcing the RFC 1738 standard for URL syntax recognized by PIE and
> IE.
>

riki
Mon Jul 24 23:20:19 CDT 2006

riki wrote:
> The PocketTV Team wrote:
>> i don't understand why PIE (and IE too, by the way) accepts URL's like
>> http://1113332805 which, according to RFC 1738, are not legal syntax.
> According to RFC 1123 (section 2.1) this IS legal syntax

Further, RFC 1738 is for the most part obsoleted by RFC 2396, then RFC
2732, and finally by RFC 3986 (Uniform Resource Identifier (URI):
Generic Syntax), which, like RFCs 1945 (Hypertext Transfer Protocol --
HTTP/1.0) and 2068 (Hypertext Transfer Protocol -- HTTP/1.1), concur
with RFC 1123 Section 2.1 for the specification of the host.

Riki

--
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/

(when asked how much sleep he'd gotten...)"I'd have to do a 'last' to
find out when I went to bed last night."-- Mike Galluchon, Software
Developer

The
Tue Jul 25 04:23:56 CDT 2006

the fact that other RFC's define the concept of URI as an extension of URL
is not relevent to the definition (in the RFC internet standard) of the
correct syntax of URL's.

apparently most people who commented about the issue of dotless URL's (not
here, but in general over other forums) - and the security issues they
raise - seem to all agree that this is a Microsoft extension (introduced in
IE 4) that is not defined in any RFC specifying allowed URL formats.

riki, if you know an RFC that specify that the internet standard allows URL
to use dotless syntax for the domain, please tell me what RFC, and what
section in the RFC.

thanks!

"riki" <see_my_home@page> wrote in message
news:%23CKBlG6rGHA.4848@TK2MSFTNGP04.phx.gbl...
> riki wrote:
>> The PocketTV Team wrote:
>>> i don't understand why PIE (and IE too, by the way) accepts URL's like
>>> http://1113332805 which, according to RFC 1738, are not legal syntax.
>> According to RFC 1123 (section 2.1) this IS legal syntax
>
> Further, RFC 1738 is for the most part obsoleted by RFC 2396, then RFC
> 2732, and finally by RFC 3986 (Uniform Resource Identifier (URI): Generic
> Syntax), which, like RFCs 1945 (Hypertext Transfer Protocol --
> HTTP/1.0) and 2068 (Hypertext Transfer Protocol -- HTTP/1.1), concur with
> RFC 1123 Section 2.1 for the specification of the host.
>
> Riki
>
> --
> ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
> AbstractStart for Smartphone :
> http://homepages.inspire.net.nz/~gambit/AbstractStart/
>
> (when asked how much sleep he'd gotten...)"I'd have to do a 'last' to find
> out when I went to bed last night."-- Mike Galluchon, Software Developer

The
Tue Jul 25 04:33:10 CDT 2006

riki,

the section that you refer to, RFC 1123 Section 2.1, see below, is only
saying that the syntax has been "relaxed" to allow a *** "host name" *** to
start with a digit.

i.e. before this "relaxation", the host "7up.pepsi.com" was not allowed, now
it is allowed.

but this RFC does not define dot-less numerical hosts (i.e. as an alternate
way to represent an IP address, with no DNS resolution involved) as being
legal.

or am i missing something?

=======================================
2.1 Host Names and Numbers

The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax.

Host software MUST handle host names of up to 63 characters and
SHOULD handle host names of up to 255 characters.

Whenever a user inputs the identity of an Internet host, it SHOULD
be possible to enter either (1) a host domain name or (2) an IP
address in dotted-decimal ("#.#.#.#") form. The host SHOULD check
the string syntactically for a dotted-decimal number before
looking it up in the Domain Name System.

DISCUSSION:
This last requirement is not intended to specify the complete
syntactic form for entering a dotted-decimal host number;
that is considered to be a user-interface issue. For
example, a dotted-decimal number must be enclosed within
"[ ]" brackets for SMTP mail (see Section 5.2.17). This
notation could be made universal within a host system,
simplifying the syntactic checking for a dotted-decimal
number.

If a dotted-decimal number can be entered without such
identifying delimiters, then a full syntactic check must be
made, because a segment of a host domain name is now allowed
to begin with a digit and could legally be entirely numeric
(see Section 6.1.2.4). However, a valid host name can never
have the dotted-decimal form #.#.#.#, since at least the
highest-level component label will be alphabetic.
==============================================



"riki" <see_my_home@page> wrote in message
news:%23CKBlG6rGHA.4848@TK2MSFTNGP04.phx.gbl...
> riki wrote:
>> The PocketTV Team wrote:
>>> i don't understand why PIE (and IE too, by the way) accepts URL's like
>>> http://1113332805 which, according to RFC 1738, are not legal syntax.
>> According to RFC 1123 (section 2.1) this IS legal syntax
>
> Further, RFC 1738 is for the most part obsoleted by RFC 2396, then RFC
> 2732, and finally by RFC 3986 (Uniform Resource Identifier (URI): Generic
> Syntax), which, like RFCs 1945 (Hypertext Transfer Protocol --
> HTTP/1.0) and 2068 (Hypertext Transfer Protocol -- HTTP/1.1), concur with
> RFC 1123 Section 2.1 for the specification of the host.
>
> Riki
>
> --
> ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
> AbstractStart for Smartphone :
> http://homepages.inspire.net.nz/~gambit/AbstractStart/
>
> (when asked how much sleep he'd gotten...)"I'd have to do a 'last' to find
> out when I went to bed last night."-- Mike Galluchon, Software Developer

riki
Tue Jul 25 05:53:50 CDT 2006

The PocketTV Team wrote:
> the fact that other RFC's define the concept of URI as an extension of URL
> is not relevent to the definition (in the RFC internet standard) of the
> correct syntax of URL's.

while the distinction between URIs and URLs (and URNs) isn't as clean as
it could be (see RFC 3305 - Uniform Resource Identifiers (URIs), URLs,
and Uniform Resource Names (URNs): Clarifications and Recommendations")

I believe RFC 3986 Section 1.1.3 (see also Examples in 1.1.2) covers the
relationship between a URI and a URL best. It states:

"The term "Uniform Resource Locator" (URL) refers to the subset of URIs
that, in addition to identifying a resource, provide a means of locating
the resource by describing its primary access mechanism (e.g., its
network "location")."

Thus "http:" is a URI scheme. An http URI is a URL. They are highly
related, you can't simply say RFC1738 was the latest RFC with "URL" in
the name therefore is the authoritative definition.

URIs and URLs were first defined in RFC 1630 (which predates RFC1738 by
6 months). So I would argue that a URI is not merely an "extension" to
URLs, if anything the reverse would be more 'true'.

> apparently most people who commented about the issue of dotless URL's (not
> here, but in general over other forums) - and the security issues they
> raise - seem to all agree that this is a Microsoft extension (introduced in
> IE 4) that is not defined in any RFC specifying allowed URL formats.

I disagree, there is an RFC standards, see below for references. See
also this discussion of URL in IE from the IE7 blog:
http://blogs.msdn.com/ie/archive/2005/08/15/452006.aspx

> riki, if you know an RFC that specify that the internet standard allows URL
> to use dotless syntax for the domain, please tell me what RFC, and what
> section in the RFC.

the hostname of URLs are defined in RFC 3986 (Uniform Resource
Identifier (URI): Generic Syntax) Section 3.2.2

The RFC you refer to (1738 "Uniform Resource Locators (URL)", released
in December 1994) has been obsolete since Augest 1998, when RFC 2396
came out. See the Abstract of RFC2396 which states it replaces 1738.

Also RFC 1738 "Functional *Recommendations* for Internet Resource
Locators" is just that, an informal recommendation. The fact it states
you can't have a number as the first character of a host name is a known
bug with the document, as RFC 1123 "Requirements for Internet Hosts --
Application and Support" which predates it, introduced the requirement
that applications support all numeric host names (Section 2.1).

riki

--
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/

How should I know if it works? That's what beta testers are for. I only
coded it. -- Attributed to Linus Torvalds

riki
Tue Jul 25 06:00:52 CDT 2006

The PocketTV Team wrote:
> riki,
> but this RFC does not define dot-less numerical hosts (i.e. as an alternate
> way to represent an IP address, with no DNS resolution involved) as being
> legal.

ahh, mybad, i misunderstood your arguments. I'll have to relook into it
tomorrow.

riki

--
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/

"Any suficiently stupid /. poster is indistinguishable from a troll"

riki
Tue Jul 25 06:04:51 CDT 2006

riki wrote:
> The PocketTV Team wrote:
>> riki,
>> but this RFC does not define dot-less numerical hosts (i.e. as an
>> alternate way to represent an IP address, with no DNS resolution
>> involved) as being legal.
>
> ahh, mybad, i misunderstood your arguments. I'll have to relook into it
> tomorrow.

looks like your right:
http://tools.ietf.org/html/rfc3986#section-7.4

riki

--
ThemeChanger for Smartphone : http://homepages.inspire.net.nz/~gambit/
AbstractStart for Smartphone :
http://homepages.inspire.net.nz/~gambit/AbstractStart/

Never underestimate the power of stupid people in large groups.

The
Tue Jul 25 06:58:10 CDT 2006


"riki" <see_my_home@page> wrote in message
news:eKq$ro9rGHA.4772@TK2MSFTNGP02.phx.gbl...
> riki wrote:
>> The PocketTV Team wrote:
>>> riki,
>>> but this RFC does not define dot-less numerical hosts (i.e. as an
>>> alternate way to represent an IP address, with no DNS resolution
>>> involved) as being legal.
>>
>> ahh, mybad, i misunderstood your arguments. I'll have to relook into it
>> tomorrow.
>
> looks like your right:
> http://tools.ietf.org/html/rfc3986#section-7.4

thanks for this link.

that's exactly my point.

and this proprietary extension (dot-less server URL) invented by MSFT does
become a security concern, and spammers/scammers/phishers have perfectly
understood that and they constantly take advantage of this. i receive
dozens (maybe hundreds) of emails with this sort of URL every day - which my
filter discards, naturally.

but why is this extension still supported, if its only benefit is to help
spammers/scammers/phishers?

i don't understand...

The
Tue Jul 25 07:00:19 CDT 2006


"riki" <see_my_home@page> wrote in message
news:eKq$ro9rGHA.4772@TK2MSFTNGP02.phx.gbl...
> riki wrote:
>
> looks like your right:
> http://tools.ietf.org/html/rfc3986#section-7.4

this section is called "Rare IP Address Formats", which is quite funny,
since this IP format is now very commonly used in spam/junk/phishing emails.

it's rarely used only by honnest people :)