Slashdot Mirror


Microsoft Advises to Type in URLs Rather than Click

spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"

14 of 984 comments (clear)

  1. Re:Hah! by byolinux · · Score: 5, Interesting

    Firebird will be, but until then, vanilla Mozilla I'd say.

    Firebird seems lacking in a few things for now.

  2. Homograph attacks might bite us all by ControlFreal · · Score: 5, Interesting

    Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL into the address bar may be one that we should all take to heart in the future.

    As pointed out here, the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.

    Example: one could replace the o's in http://www.microsoft.com with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.

    A more serious example: my bank, the Dutch Rabobank, features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.

    A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.

    Are there any people from countries using non-latin domain names that might want to comment on this?

    --
    Support a Europe-related section on Slashdot!
  3. Re:Hah! by linuxci · · Score: 5, Interesting
    Personally I'd say Mozilla Firebird but it's a matter of preference. The Mozilla's are free and Opera is free if you don't mind a banner ad (or pay them for the ad free version), so just download them all and give them a go, they all have their good points. But one thing, if you do use Opera, please go into preferences and stop it 'Identifying as IE' that doesn't help people with flawed stats programs realise people are using alternative browsers.


    Also if you can also educate others into non-IE browsers that will help marketshare and make more sites develop to the standards and not to MS only HTML/JS. Although to be honest I know of very few IE only sites, and I never need to use them anyway, YMMV.

  4. Internet Explorer should offer... by 2bot_or_not_2bot · · Score: 5, Interesting

    (1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.

  5. Alas, some of us have little choice. by The+Fink · · Score: 5, Interesting
    It's part of our IT department's standard operating environment to have MSIE as the only browser on Windows platforms. It's also part of their policy to prevent additional programs -- specifically including web browsers of any kind -- from being installed, and the penalty for doing so is not something I really feel like finding out. People have been fired for repeat violations.

    Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...

    So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank...

    ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.

    Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.

  6. Re:How About.. by golgotha007 · · Score: 4, Interesting

    What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

    damn, no kidding.

    i design web sites for a living. there's nothing worse than getting a web site looking just the way you want, then running a W3C CSS and HTML validator and having everything check out 100 percent. ...then to check the site with IE. holy crap, my PNG files aren't transparent anymore? what are all these extra spaces all over the place? why does the site now look so shitty?

  7. ... and SSL will still work by Craig+Ringer · · Score: 4, Interesting

    Just imagine going to:

    https://ϲоmmоnwealthbank.com.a u/

    (may not display properly - whatever, you get the picture)

    and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.

    Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.

  8. Re:They can't be serious... by Anonymous Coward · · Score: 5, Interesting

    The URL spoofing exploit also exists in Mozilla. Only Opera is sort-of immune by popping up a warning message about potentially dodgy sites.

    Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.

    Plus on /. you're preaching to the converted when talking about different browsers.

  9. Re:Hah! by byolinux · · Score: 4, Interesting

    I have Moz 1.6 and Firebird 0.71 on OS X, and I find Firebird to be lacking some little bits that prevent it from being anywhere near as good.

    Examples would be things like plugins and things from mozdev.org that don't work, preferences that are not present in Firebird, etc.

    Firebird is going to be a wonderful browser, it's already a very good browser, I just don't feel it's ready for (my) usage yet.

  10. Re:i knew it by sepluv · · Score: 5, Interesting
    Not in XHTML 2.0 -- it looks like the anchor (a) element is probably going to be deprecated now one can use href on any element (as I have said it should be for a while, because there is nothing semantically special about link text in comparison to other text).

    IMO, as XHTML 2.0 is meant to be non-backwards-compatible, they should use the a element for the functionality of the acronym and abbr elements.

    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  11. Re:They can't be serious... by m4rcL · · Score: 5, Interesting

    It shows beyond a shadow of a doubt how stumped Microsoft are. They must've sat for hours thinking of how to solve their problem and simply could not come up with an answer. Their software model cannot cope with this sort of thing so their only advice is to avoid using the internet properly. It's something we've all known all along. Open source works better.

  12. Re:They can't be serious... by justforaday · · Score: 5, Interesting

    Who in their right minds would ACTUALLY follow the steps here?

    i totally agree with you about the absurdity of the whole situation. however, i will admit that i know someone who will follow these instructions to a tee. my roommate refuses to listen to anyone when they recommend using an alternate browser [firebird, mozilla, and opera have all been suggested numerous times by numerous people]. instead i get to sit there and laugh at him while he bitches about popups, security holes, and having to copy/paste links into notepad to make sure they really go somewhere he wants to go. i truly get the feel that some people purposefully put themselves through pain to try to make a point. what that point is, however, is totally lost on me...

    --
    I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
  13. ulitmate defeat by init-five · · Score: 5, Interesting

    To ask the user not to click on bad URL's is to admit:

    1) we (Microsoft) know what a bad url is
    2) we (Microsoft) assume that you may know what a bad url is
    3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
    4) we (Microsoft) give up trying to teach IE what a bad URL is
    5) hence we (Microsoft) ask you to please take care and avoid bad URL links

    --
    Hallowed are the Ori
  14. Re:They can't be serious... by blinkylights · · Score: 5, Interesting

    Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.

    "People" do weird things sometimes - a large number of people went to the theater and paid perfectly good money to see 'Gigli' for example. I think it's incredibly weird that people still use IE even without the security problems, given that there are a number of faster, better-featured browsers available free for downloading. But "people" tend to move in flocks. All it would take would be a large enough catalyst, and I think there would be a mass migration.

    Is this it? No. People are stupid - they won't switch because they should switch. People won't switch until they come to a roadblock: they want to do something and they find they can't. Even if every IE user were to see this KB entry, 99.9% would ignore it, and they'd blame "hackers" if they got hit by the vulnerability, not MS or IE.

    If people get exposed to and get used to better browsers, though (corporate IT gets tired of trying to teach users not to click on things, for example), they'll get used to tabbed browsing, native popup-blocking, their BenJen browser theme, etc., then find they can't do the same at home with IE... they'll switch.

    If IE were almost as good as Opera or Firebird, you'd be right about it being nigh invulnerable. It just isn't, though.