Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
i always knew that those hyperlinks were a bad security problem. Web designer should really avoid those propietary 'href'-tags for security reasons.
I have a suggestion that's not in the Knowledge Base: don't use IE!
Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...
Install Linux.
I hear you can buy a copy of it for around $600 somewhere.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I say go one step further for ultimate security and telnet to port 80.
Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you!
These sigs are more interesting tha
In other news M$ advices all online banking users to walk in to their nearest bank office to secure their online banking...
The point is there's a bug in IE that even with JavaScript turned off people can give the impression that you're going to a different URL than you really are, the worst thing is it also affects the address bar. Be safe, don't use IE
Microsoft Advises to Type in URLs Rather than Click
So now MS is promoting a return to command line interfaces?
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL
into the address bar may be one that we should all take to heart in the
future.
As pointed out here, the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank, features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
Support a Europe-related section on Slashdot!
Then you have to fight the bizarre built-in pro-Microsoft stance of pretty much any non-techy computer user. I swear MS are putting something in the water.
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".
But it still doesn't make sense. Some secure sites have a feature that requires a referrer link when you access different pages. If you type in a URL, there is no referrer link, and so in that case, you might not be able to access that site.
On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.
It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.
For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
(1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.
Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...
So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank...
ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.
Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.
"Protect yourself from email worms by walking to the post office!"
"Protect yourself from p2p worms by buying your music on 8-track tape!"
"Protect yourself from joe-jobs by not using your hotmail address!"
"Protect yourself from internet credit card theft by using dollar bills exclusively!"
"Protect yourself from e-banking snoopers by keeping your savings under the mattress!"
"Protect yourself from spam by disconnecting the internet!"
"For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!
(Oops, this one's not new.)
This is...
O
U
T
R
A
G
E
O
U
S
!
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
-- *~()____) This message will self-destruct in 5 seconds...
Can I have my karma now?
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
So what's next then? ....Write your emails in outlook, then print them and mail them in an envelope, all the benefits of outlook with the added security of Physical Delivery (tm)*(new improved feature, Microsoft patent pending).
You missed the point.
http://www.amazon.com%01@malicious-site.com
will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.
In IE, it will show as http://www.amazon.com
That is the flaw. It has everything to do with IE.
Goatse trolls on Slashdot taught me not to click hyperlinks LONG before they became a security issue!
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Not Buzzword 2.0 compliant. Please speak english.
To ask the user not to click on bad URL's is to admit:
1) we (Microsoft) know what a bad url is
2) we (Microsoft) assume that you may know what a bad url is
3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
4) we (Microsoft) give up trying to teach IE what a bad URL is
5) hence we (Microsoft) ask you to please take care and avoid bad URL links
Hallowed are the Ori
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" tells him to.
I've sent that page to a few people now, and the responses are pretty amusing. It redirects IE users to a spoofed MS Update page for Internet Explorer that offers Mozilla for download as the "update" for IE.
why don't people see that this is a MAJOR FLAW with the OS?
the majority of home PC users are not slashdot geeks and simply don't have the time, and shouldn't have to worry about this sort of stuff.
the whole founding principle of a home PC is that joe somebody is empowered to pursue his lifelong dream of starting a small business and can focus on producing/selling/etc. without having to be a mainframe technician on top of it. at what point does the amount of required fixes/patches/workarounds make a device cease being a tool and become a liability instead?
sally middle-school teacher should be able to check her email without 5 service packs.
bill janitor should be able to boot up a computer and check a sports score without being decieved by a major browser flaw into installing 16 trojans and zombie-fying his machine.
the folks at redmond have forgotten so utterly and completely that the original idea of a computer was to help people that it's mind boggling.
one of the most satisfying things in software dev can be watching someones day become markedly easier b/c of something you worked on.
microsoft has become the antithesis of that.
My hands cramped up about halfway through typing http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786 . :)