Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...
Sinisa
Then you have to fight the bizarre built-in pro-Microsoft stance of pretty much any non-techy computer user. I swear MS are putting something in the water.
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".
So it's upto the browser makers to take action if this is really a security risk.
The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.
You don't even need to go digging for Unicode characters to pull off tricks like that. As demonstrated on Slashdot itself! Some examples: Anonvmous Coward (y replaced by v), MonTemp1ar (l replaced by 1 (one)). At least with /. usernames you have the UID that can be checked against to confirm the person's identity. No such luck if you apply the same trick to URLs - how many people are going to spot the difference?
-MT.
-MT.
I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.
For example: the number of Chinese internet users went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).
In that case, a general "block" on multilingual domains in the address bar won't work.
Support a Europe-related section on Slashdot!
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
-- *~()____) This message will self-destruct in 5 seconds...
Yes. Unfortunately they never seem to have realized they could avoid the problem by doing like Opera for example... Dialog:
-----
You are entering www.thewebsite.com while using this login information:
User name: blah
Password: foo
Proceed?
[ Yes ] [ No ]
-----
Beware: In C++, your friends can see your privates!
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
A simple solution is to render characters from a different code page than the default in a different color in urls.
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Not Buzzword 2.0 compliant. Please speak english.
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
Not Buzzword 2.0 compliant. Please speak english.
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Not Buzzword 2.0 compliant. Please speak english.
Any solution that relies upon millions of people changing their behavior is dead on arrival.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.