Microsoft Advises to Type in URLs Rather than Click

spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"

Re:Turn off Javascript, turn on the status bar

[linuxci]

The point is there's a bug in IE that even with JavaScript turned off people can give the impression that you're going to a different URL than you really are, the worst thing is it also affects the address bar. Be safe, don't use IE

Re:Turn off Javascript, turn on the status bar

[teledyne]

But it still doesn't make sense. Some secure sites have a feature that requires a referrer link when you access different pages. If you type in a URL, there is no referrer link, and so in that case, you might not be able to access that site.

On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.

Microsoft to remove the @ symbol from URLs

[krappie]

It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.

For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".

After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..

Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.

How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".

Re:Microsoft to remove the @ symbol from URLs

[g3rr!t]

Which would be correct, except that RFC1738 is obsoleted by RFC2396, which does allow for user names.

(There's an interesting "discussion" over on Mozilla's bug id 122445 - regarding this, too)

Re:Hah!

[Megaslow]

While I am also a happy Firebird user, it is lacking a few key things, e.g. mailto URLs are not handled properly. Also, there are still significant bugs, such as pages which cause the browser to completely croak, and bugs with the password manager.

I'm sure the majority of the glaring errors or lacking features will be addressed before it becomes an official product.

Re:You can't just use another browser.

[binford2k]

You missed the point.

http://www.amazon.com%01@malicious-site.com

will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.

In IE, it will show as http://www.amazon.com

That is the flaw. It has everything to do with IE.

Re:Hah!

[Walterk]

However, I recommend Opera. [..] lots of nice features that make browsing the web just a little more comfortable. Examples:

Don't want to wait for those graphics to load? Press G to stop loading them.

Firebird: Press ESC

You can selectively view some images if you need to.

Firebird: has image blocking: right click -> block images from <server name>

Can't read the fonts?

Firebird: Ctrl++, or Ctrl+- for smaller fonts

Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible.

Firebird: No shortcut for default colours yet.

Don't like the default stylesheet? Don't worry, you can change it.

Firebird: Preferences->General->Fonts&Colors

Type g litigious bastards in the address bar to search for litigious bastards on Google.

Firebird: By default has `google' as alias for google, but you can do this with anything by assigning alias to sites with %s for the search term, eg:

• Google: http://www.google.com/search?q=%s&ie=UTF-8&oe=UTF- 8&hl=xx-bork&btnG=Google-a+Seerch
  
• IMDB: http://us.imdb.com/Find?select=All&for=%s

Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.

See above.

Firebird also has type ahead searching. A feature which one can't live without.

People, you misunderstand the problem!

[SharpFang]

The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evil .host/
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar] @the. real.evil.host/
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!

Re:They can't be serious...

[Christopher+Whitt]

The URL spoofing exploit also exists in Mozilla

bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 is fixed, as will be Firebird 0.8 (due any day now).

Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page.

Re:They can't be serious...

[ChaosDiscord]

How can you Linux guys live without the Toolbar ? I *need* to know. Are you actually going to google.com every time you want to find a pic?

When I was using Galeon, I would just put a "Search Google" box in my toolbar. (Here's a screenshot with three Google search boxes. Two of them are folded closed to save space). Firebird has similar functionality.

For a variety of reasons I switched back to plain old Mozilla, and certainly don't visit Google.com directly. Personally I use a bookmark keywords . I've got "g" mapped to Google, so I just type something like "g galeon screenshots" in my address bar and I get a search for "galeon screenshots" from Google. It's such a handy feature that I've got similar keywords for Wikipedia, Everything2, dictionary.com, FreshMeat, and a few others.

However, if I was only using one search engine, I might use the default behavior build into the address bar. When you type an address in a drop list of suggests appears below. The bottom one is always, "Search ENGINE for 'YOUR KEYWORDS'", where ENGINE is one of the many options you can configure (including Google), and YOUR KEYWORDS are whatever you typed. You just select it and off you go.

If you're really keen on having a search box dedicated to Google, well, besides trying something like Galeon or Firebird, you can install the Googlebar (screenshots). Personally I'm no longer keen on adding search boxes to toolbars, I want less user interface on screen, not more. Less interface means more space for actual web page.

How are you checking PageRankings?

As a general rule I try to not obsess about what piece of software thinks about my web site or the web sites of others. Knowing PageRanking is certainly amusing, and it may be marginally useful if you're doing professional web work, but is it really that critical?

I'll admit, it's a shame Mozilla doesn't provide it, but it's not really that big of a deal.

As a bonus, it's the best popup blocker ever. I haven't seen one in a year and a half.

Neither have I. It seems a bit odd to co-mingle popup-blocking and searching into a single component, but I guess if it works for you. Mozilla's popup blocking support works great and comes built in to the browser. As a bonus I can also stop sites from doing other irritating things. For example, I've forbidden sites from resizing or moving existing windows or moving windows up and down in the screen ordering. If you're sick of sites doing stupid crawls in your status bar or hiding the real destination for links you can just click "Allow scripts to...Change status bar text."

I do like the tabbed browsing but it's like I have tabbed browsing now; I just have a dozen browsers open. I switch between them along the taskbar. RAM is cheap today gentleman. I don't really care how many of my machine's resources it takes.

Tabbed browsing has never been about resources; that you think it does shows a serious lack of understanding about modern web browsers. Every major browser (including IE and Mozilla) will only run one copy of the program, regardless of how many windows you have open. Tabs are not significantly more efficient than windows.

Tabbed browsing is about organization. The task bar works fine, but it doesn't scale. If you've got 20 windows open you've just got twenty little teeny icons with almost no text. XP's grouping helps, but all of the web browser windows get lumped together. A typical use case would be to have a window open to a web email site, another window reading a list of bugs assigned to me and a bunch of tabs for individual bugs I'm loo