Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
Like that you'll at least always see where the link is going before you go there.
"Little does he know, but there is no 'I' in 'Idiot'!"
Firebird is definitely the best.
Do not go gentle into that good night. Rage, rage against the dying of the light.
What is the best browser for MS platform?? Mozilla, Opera,?? Let a brother know.
Mozilla Firebird is a lean, mean browsing machine. Highly recommended. Remember not to click the link if you're in IE!
I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.
For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
I see others have recommended Mozilla Firebird. It's a great browser indeed, and open source.
However, I recommend Opera. It's small, fast, very standards-compliant, and has lots of nice features that make browsing the web just a little more comfortable. Examples:
Don't want to wait for those graphics to load? Press G to stop loading them. You can selectively view some images if you need to.
Can't read the fonts? Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible. Don't like the default stylesheet? Don't worry, you can change it.
Type g litigious bastards in the address bar to search for litigious bastards on Google.
Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.
I don't like mouse gestures, but some people love them. Opera does, too.
Etc, etc.
It's a pity Opera on Linux keeps crashing. On Windows, it's great, though.
Please correct me if I got my facts wrong.
I'm sure the majority of the glaring errors or lacking features will be addressed before it becomes an official product.
The same MS advisory page recommends (way down at the bottom for those that don't bother to RTFA):
...
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
This is in no way bashing Opera, which has a lot of great innovations and I hope to return to when this problem is fixed. Just a warning that Opera may not be as fast as everyone thinks!
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
There is nothing about Moz Firebird that's going to make this less of an issue. The fact is that the typical user is going to see http://www.amazon.com@/fakepath/usualAmazoncrap:ru ssianmafia.ru and think it's an Amazon URL.
Quick check: how many of you bought something online and actually checked the lock icon? While shopping during Christmas? When you were under pressure to get something done?
This is a human interface architecture issue, plain and simple. It has nothing to do with IE, nothing to do with SSL or any TLAs and everything to do with the fact that URLs and the web were not designed with security and human interface in mind.
To fix this, we need to transition to a standard way of verifying security. A quick fix to this problem would be to redesign the address bar to actually show the protocol and the host, something along the lines of:
[protocol: http, insecure] [host: www.russianmfia.ru] [user:www.amazon.com] [path:...]
A larger fix would be to transition to a set of protocols and interface standards that establish how a user chooses privacy and security options.
Personally, I think that if you are getting into sites that are spoofing you elsewhere, you are probably going to bad sites in the first place.
However, IE doesn't help to inform a user in their decision making. In Mozilla, I can get the toolbar to tell me what's behind a hyperlink - so a designer can't pretend it's another address.
It looks like the only browser immune to this is Opera.
"Though little-used, the tricky URL form is a recognised Internet standard as documented in various RFC documents. For this reason the developers of other browsers, like Mozilla, don't feel they can simply get rid of it. Instead, the Mozilla developers and a horde of kibitzers have spent almost a year and 156 comments discussing what can be done. Right now that effort has got precisely nowhere and Mozilla users are almost as vulnerable as Internet Exploder users to being hoaxed in this way."
I stole this sig.
The way to win the battle against runaway popups is to rapidly and repeatedly press the Escape key. The pop-up window will appear, but since Escape is a shortcut for the Stop button, it won't have a chance to load its content (including the script which opens more windows), and you can close it safely.
Ah, but XHTML 2 is in the same namespace as XHTML 1, which means people might assume 'a' is anchor anyway. That's even why they made 'q' into 'quote', because the display semantics of 'q' were different ('q' is supposed to have quotes automatically supplied, whereas 'quote' isn't.)
Karma: It's all a bunch of tree-huggin' hippy crap!
to add mailto: support to Firebird just install mozex extension
Firebird: Press ESC
Firebird: has image blocking: right click -> block images from <server name>
Firebird: Ctrl++, or Ctrl+- for smaller fonts
Firebird: No shortcut for default colours yet.
Firebird: Preferences->General->Fonts&Colors
Firebird: By default has `google' as alias for google, but you can do this with anything by assigning alias to sites with %s for the search term, eg:
See above.
Firebird also has type ahead searching. A feature which one can't live without.
"If anyone needs me, I'm in the angry dome."
MYIE2 installs a front end for the IE engine that does all of this. It also allows tabbed browsing. It is definitely worth a look.
Note: If the status bar is not enabled, the lock will not appear.
.jpg file to the average Windows home user.
Whoever wrote this KB article needs to send it to their neighbors in WinXP product development. The status bar is disabled by default in Windows Explorer in XP.
Also, Windows still has "hide known file extensions" option checked by default. So something like annavirus.jpg.vbs looks like a
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
oh my, they really are nuts. They can't even write such an article correctly: not only links handling is bogus, but also form posts - you can have this %01 thing in a <form action=...>.
They fail to inform users that they shouldnt push buttons.
The @ symbol is required for http-based authentication
That is exactly how MS plans on fixing this problem. Read more here.
Bad boys rape our young girls but Violet gives willingly.
The URL spoofing exploit also exists in Mozilla
bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 is fixed, as will be Firebird 0.8 (due any day now).
Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page.
Mozilla
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
This one will crack you up even more: Don't use the word "begin" -- use "start" or "commence" instead. That's right, the parser doesn't need fixing, the English language does.
It's frightfully for real. How's MS's level of support looking now?
I've finally had it: until slashdot gets article moderation, I am not coming back.
I just received an email the other day, which was worded something like:
Look very closely at that content, and you'll see the subtle exploit in it.
How can John Q. Public or your grandmother be sure of this, without actually viewing and auditing the source of the webpage/email they're receiving? This assumes that some mail readers can actually allow you to view the raw source of the email, to see if it contains any maliscious flaws like this.
If you visit e-qo1d.com in a browser, you'll see the exact exploit it uses. Not to worry, it is relatively safe (unless you are a customer of e-gold.com, and purchase gold online).
This is one example of how these companies are misusing this type of exploit to liquidate people's bank accounts. Nice.
using escape characters
Obviously people who wrote this article advising to type in urls have NO IDEA how bad things are right now. I had a job in phone support for an ISP recently, and it's impossible to get the average user to type a url in the adress bar, because most don't even HAVE an adress bar anymore!
Typical conversation:
me: "Ok, now go to the adress bar and type the following..."
customer: "Go to the what?"
me: "Ok, do you have a web browser open? It's the program you use to view websites."
customer: "I thought I had you guys."
me: "Yes, now click on whatever you use to view our homepage."
customer: "But I just told you I don't have that anymore all I have is this incredifind.com thing."
me: "That's ok, I'll fix that in a minute, just click on it and open it up."
customer: "Ok, I have the incredifind open. Now how do I get to my internet?"
me: "Ok, do have an adress bar at the top?"
customer: "Wait, there's popups in the way now, let me close them."
(wait 4 minutes to close popups that spawn other popups)
customer: "Ok I can see, you said adress? I don't see that."
me: "Well we want to type in a web page, so do you see a long white bar at the top?"
customer: "Yeah I have 4, let me just type it in this super search one..."
me: "Umm ok let's not..."
customer: "Ok I'm at ultimatelinks.com, what do I click on now?"
me: "Ok let's forget about that for a minute, what do the white bars at the top say next to them"
customer: "Umm.. searchnow, supersearch, fastsearch, quickfind..."
me: "Do any of them say adress next to them?"
customer: "No."
me: "Ok do you have the word adress anywhere in the gray area up at the top?"
customer: "I have file... edit.."(wait 3 minutes to read entire list)
Now, either the adress bar is there and collapsed, and I spend 5 minutes trying to instruct them how to use the mouse to drag it open, or it's not and I try to go through the view menu and turn it on, and spend 5 minutes trying to figure out which options are removed from their menus by spyware hijacks.
me: "Ok fine, hit ctrl+o, does a little window pop up?"
customer: "Yes, you want me to type it in there?"
me: "Yes do that."
customer: "Ok, I'm there but there's a big popup and I can't close it because it has no X."
me: "Ok can you drag it out of the way?"
customer: "How do I do that?"
me: "Ok try just hitting control and the F4 key at the top of your keyboard, does it go away?"
customer: "Yeah. That's neat, I'll write that down. Wait, another popup came up..."
I'm not kidding, this is in no way an exaggeration or parody. While this is not a real conversation in itself, all these things have occured in similar conversations I had on the phone during support calls. And they seriously expect these people to type in URLs? How about making the browser so malicioius programs can't remove or replace the adress bar first?
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
On my Mac I run Safari, IE, Mozilla and Opera. Opera is the slowest to load, taking five times longer than Safari, despite being half the size. It also renders Opera's own site so slowly as to be unusable - I did a comparison the other day, and Safari rendered the site at least four times faster. Opera even beachballs for half a second when hovering over a link requires re-rendering (as all the links at Opera.com do). The only reason I ever run it is to test CSS comptibility, where it is good - although its JavaScript/legacy DOM support is abominable.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
firebird has a google search box in the upper right, and innate popup blocking.
Ah! But there is a google toolbar for Moz. Happy switching.
I don't know what "sort-of" means, but Konqueror is in no way affected by this exploit. It displays correct address both in the status bar as well as the URL bar.
Having said that, I did like Opera's feature that popped up that warning. If you get spam in your webmail account some images (in embedded HTML) may come from a server that will authenticate you like that and possibly track which e-mails are being read. If only Opera was able to manage all the ads that some websites throw at it.
When I was using Galeon, I would just put a "Search Google" box in my toolbar. (Here's a screenshot with three Google search boxes. Two of them are folded closed to save space). Firebird has similar functionality.
For a variety of reasons I switched back to plain old Mozilla, and certainly don't visit Google.com directly. Personally I use a bookmark keywords . I've got "g" mapped to Google, so I just type something like "g galeon screenshots" in my address bar and I get a search for "galeon screenshots" from Google. It's such a handy feature that I've got similar keywords for Wikipedia, Everything2, dictionary.com, FreshMeat, and a few others.
However, if I was only using one search engine, I might use the default behavior build into the address bar. When you type an address in a drop list of suggests appears below. The bottom one is always, "Search ENGINE for 'YOUR KEYWORDS'", where ENGINE is one of the many options you can configure (including Google), and YOUR KEYWORDS are whatever you typed. You just select it and off you go.
If you're really keen on having a search box dedicated to Google, well, besides trying something like Galeon or Firebird, you can install the Googlebar (screenshots). Personally I'm no longer keen on adding search boxes to toolbars, I want less user interface on screen, not more. Less interface means more space for actual web page.
As a general rule I try to not obsess about what piece of software thinks about my web site or the web sites of others. Knowing PageRanking is certainly amusing, and it may be marginally useful if you're doing professional web work, but is it really that critical?
I'll admit, it's a shame Mozilla doesn't provide it, but it's not really that big of a deal.
Neither have I. It seems a bit odd to co-mingle popup-blocking and searching into a single component, but I guess if it works for you. Mozilla's popup blocking support works great and comes built in to the browser. As a bonus I can also stop sites from doing other irritating things. For example, I've forbidden sites from resizing or moving existing windows or moving windows up and down in the screen ordering. If you're sick of sites doing stupid crawls in your status bar or hiding the real destination for links you can just click "Allow scripts to...Change status bar text."
Tabbed browsing has never been about resources; that you think it does shows a serious lack of understanding about modern web browsers. Every major browser (including IE and Mozilla) will only run one copy of the program, regardless of how many windows you have open. Tabs are not significantly more efficient than windows.
Tabbed browsing is about organization. The task bar works fine, but it doesn't scale. If you've got 20 windows open you've just got twenty little teeny icons with almost no text. XP's grouping helps, but all of the web browser windows get lumped together. A typical use case would be to have a window open to a web email site, another window reading a list of bugs assigned to me and a bunch of tabs for individual bugs I'm loo
Search 2010 Gen Con events
With a javascript redirect. I couldn't get most web forums to accept the dodgy html directly and I wasn't sure others could copy it correctly, so I set up a bounce page.
If you use the direct link (as phishing scams always do), it shows up as "msie.microsoft.com" in the preview area too.
I'd be interested to know how SP2beta handles a direct link; I've read that it breaks javascript redirects under some conditions, but it's not clear that a direct link wouldn't still be displayed incorrectly.
455fe10422ca29c4933f95052b792ab2