Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...
Sinisa
Then you have to fight the bizarre built-in pro-Microsoft stance of pretty much any non-techy computer user. I swear MS are putting something in the water.
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".
So it's upto the browser makers to take action if this is really a security risk.
The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.
You don't even need to go digging for Unicode characters to pull off tricks like that. As demonstrated on Slashdot itself! Some examples: Anonvmous Coward (y replaced by v), MonTemp1ar (l replaced by 1 (one)). At least with /. usernames you have the UID that can be checked against to confirm the person's identity. No such luck if you apply the same trick to URLs - how many people are going to spot the difference?
-MT.
-MT.
I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.
For example: the number of Chinese internet users went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).
In that case, a general "block" on multilingual domains in the address bar won't work.
Support a Europe-related section on Slashdot!
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
-- *~()____) This message will self-destruct in 5 seconds...
Yes. Unfortunately they never seem to have realized they could avoid the problem by doing like Opera for example... Dialog:
-----
You are entering www.thewebsite.com while using this login information:
User name: blah
Password: foo
Proceed?
[ Yes ] [ No ]
-----
Beware: In C++, your friends can see your privates!
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
A simple solution is to render characters from a different code page than the default in a different color in urls.
Nothing semantically special about link text? Doesn't that fact that it is acting as the anchor of the link make it semantically significant? Or are you thinking in wholy human-readable terms?
Anyone that's trying to exploit the address bar bug, will undoubtedly also include some javascript to set the status bar to say the name of the site they're spoofing as well. They're hardly likely to do one and not the other. Only the example exploits tend not to modify the status bar.
mailto URLs are not handled properly
I can't think of anything wrong with the way Firebird handles mailto URLs. Firebird certainly handles them better than Mozilla Navigator -- Firebird opens them in your default mail program, while Mozilla Navigator always opens them in Mozilla Mail.
The shareholder is always right.
Just check my site at http://kobylkin.com and follow any link. You will see your address bar staying the same, does not matter what site you have landed on.
I just did, Firebird 0.71 on XP.
Every URL clearly shows the correct site it's going to in the statusbar when I mouseover.
Yeah you faked it by putting your entire site in a whole-page frameset, but that's cheating - as opposed to showing a major security flaw and violation of the standards (which in this instance Microsoft is clearly admitting but flat out failing to fix).
Visit CryptoGnome in his home.
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Not Buzzword 2.0 compliant. Please speak english.
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
Not Buzzword 2.0 compliant. Please speak english.
Perhaps same reason than why mozilla do not do that filtering?
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Not Buzzword 2.0 compliant. Please speak english.
In almost all cases, if the link text in a page was not link text (i.e.: if all the href attributes were removed) it would have the same meaning.
I've seen your "almost all" shrink. Some blog authors write in a style reminiscent of Wikipedia, Everything 2, and the like, whose pages gain some of their meaning from what their words link to. For example, "dumb MF" means one thing, but "dumb MF" means another thing, namely "dumb MF, one example of which is President Bush".
"I have a suggestion that's not in the Knowledge Base: don't use IE!"
If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.
Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.
I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
Ave Molech Setting
Any solution that relies upon millions of people changing their behavior is dead on arrival.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
The biggest problem with browsers and other web-technologies is that they give more control to designers and webmasters, not to the users. Java, ActiveX, Flash, Javascript, CSS, etc. all allow designers and webmasters to determine more precisely what should happen on the user's end. Completely wrong and inacceptable, yet this is exactly what is happening.
It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.
Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).
Future Wiki -- If you don't think about the future, you cannot have one.