Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
The point is there's a bug in IE that even with JavaScript turned off people can give the impression that you're going to a different URL than you really are, the worst thing is it also affects the address bar. Be safe, don't use IE
What is the best browser for MS platform?? Mozilla, Opera,?? Let a brother know.
Mozilla Firebird is a lean, mean browsing machine. Highly recommended. Remember not to click the link if you're in IE!
I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
But it still doesn't make sense. Some secure sites have a feature that requires a referrer link when you access different pages. If you type in a URL, there is no referrer link, and so in that case, you might not be able to access that site.
On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.
It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.
For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
I see others have recommended Mozilla Firebird. It's a great browser indeed, and open source.
However, I recommend Opera. It's small, fast, very standards-compliant, and has lots of nice features that make browsing the web just a little more comfortable. Examples:
Don't want to wait for those graphics to load? Press G to stop loading them. You can selectively view some images if you need to.
Can't read the fonts? Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible. Don't like the default stylesheet? Don't worry, you can change it.
Type g litigious bastards in the address bar to search for litigious bastards on Google.
Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.
I don't like mouse gestures, but some people love them. Opera does, too.
Etc, etc.
It's a pity Opera on Linux keeps crashing. On Windows, it's great, though.
Please correct me if I got my facts wrong.
I'm sure the majority of the glaring errors or lacking features will be addressed before it becomes an official product.
The same MS advisory page recommends (way down at the bottom for those that don't bother to RTFA):
...
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
This is in no way bashing Opera, which has a lot of great innovations and I hope to return to when this problem is fixed. Just a warning that Opera may not be as fast as everyone thinks!
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
You missed the point.
http://www.amazon.com%01@malicious-site.com
will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.
In IE, it will show as http://www.amazon.com
That is the flaw. It has everything to do with IE.
to add mailto: support to Firebird just install mozex extension
Firebird: Press ESC
Firebird: has image blocking: right click -> block images from <server name>
Firebird: Ctrl++, or Ctrl+- for smaller fonts
Firebird: No shortcut for default colours yet.
Firebird: Preferences->General->Fonts&Colors
Firebird: By default has `google' as alias for google, but you can do this with anything by assigning alias to sites with %s for the search term, eg:
See above.
Firebird also has type ahead searching. A feature which one can't live without.
"If anyone needs me, I'm in the angry dome."
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The URL spoofing exploit also exists in Mozilla
bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 is fixed, as will be Firebird 0.8 (due any day now).
Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page.
Mozilla
Ah! But there is a google toolbar for Moz. Happy switching.
When I was using Galeon, I would just put a "Search Google" box in my toolbar. (Here's a screenshot with three Google search boxes. Two of them are folded closed to save space). Firebird has similar functionality.
For a variety of reasons I switched back to plain old Mozilla, and certainly don't visit Google.com directly. Personally I use a bookmark keywords . I've got "g" mapped to Google, so I just type something like "g galeon screenshots" in my address bar and I get a search for "galeon screenshots" from Google. It's such a handy feature that I've got similar keywords for Wikipedia, Everything2, dictionary.com, FreshMeat, and a few others.
However, if I was only using one search engine, I might use the default behavior build into the address bar. When you type an address in a drop list of suggests appears below. The bottom one is always, "Search ENGINE for 'YOUR KEYWORDS'", where ENGINE is one of the many options you can configure (including Google), and YOUR KEYWORDS are whatever you typed. You just select it and off you go.
If you're really keen on having a search box dedicated to Google, well, besides trying something like Galeon or Firebird, you can install the Googlebar (screenshots). Personally I'm no longer keen on adding search boxes to toolbars, I want less user interface on screen, not more. Less interface means more space for actual web page.
As a general rule I try to not obsess about what piece of software thinks about my web site or the web sites of others. Knowing PageRanking is certainly amusing, and it may be marginally useful if you're doing professional web work, but is it really that critical?
I'll admit, it's a shame Mozilla doesn't provide it, but it's not really that big of a deal.
Neither have I. It seems a bit odd to co-mingle popup-blocking and searching into a single component, but I guess if it works for you. Mozilla's popup blocking support works great and comes built in to the browser. As a bonus I can also stop sites from doing other irritating things. For example, I've forbidden sites from resizing or moving existing windows or moving windows up and down in the screen ordering. If you're sick of sites doing stupid crawls in your status bar or hiding the real destination for links you can just click "Allow scripts to...Change status bar text."
Tabbed browsing has never been about resources; that you think it does shows a serious lack of understanding about modern web browsers. Every major browser (including IE and Mozilla) will only run one copy of the program, regardless of how many windows you have open. Tabs are not significantly more efficient than windows.
Tabbed browsing is about organization. The task bar works fine, but it doesn't scale. If you've got 20 windows open you've just got twenty little teeny icons with almost no text. XP's grouping helps, but all of the web browser windows get lumped together. A typical use case would be to have a window open to a web email site, another window reading a list of bugs assigned to me and a bunch of tabs for individual bugs I'm loo
Search 2010 Gen Con events