Microsoft Advises to Type in URLs Rather than Click 984
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
Turn off Javascript, turn on the status bar (Score:1, Informative)
Re:Turn off Javascript, turn on the status bar (Score:5, Informative)
Re:Hah! (Score:3, Informative)
Re:Hah! (Score:4, Informative)
Mozilla Firebird [mozilla.org] is a lean, mean browsing machine. Highly recommended. Remember not to click the link if you're in IE!
Don't use IE (Score:4, Informative)
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
Re:Turn off Javascript, turn on the status bar (Score:5, Informative)
On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.
Re:Turn off Javascript, turn on the status bar (Score:2, Informative)
no, that link is not supposed to do it, the page will show you what it is.
Microsoft to remove the @ symbol from URLs (Score:5, Informative)
For more information, please see microsoft's advisory [microsoft.com]. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
Re:Hah! (Score:5, Informative)
However, I recommend Opera [opera.com]. It's small, fast, very standards-compliant, and has lots of nice features that make browsing the web just a little more comfortable. Examples:
Don't want to wait for those graphics to load? Press G to stop loading them. You can selectively view some images if you need to.
Can't read the fonts? Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible. Don't like the default stylesheet? Don't worry, you can change it.
Type g litigious bastards [sco.com] in the address bar to search for litigious bastards [sco.com] on Google.
Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.
I don't like mouse gestures, but some people love them. Opera does, too.
Etc, etc.
It's a pity Opera on Linux keeps crashing. On Windows, it's great, though.
Re:Hah! (Score:5, Informative)
I'm sure the majority of the glaring errors or lacking features will be addressed before it becomes an official product.
Security: Text-only email? (Score:4, Informative)
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
Re:Hah! (Score:5, Informative)
This is in no way bashing Opera, which has a lot of great innovations and I hope to return to when this problem is fixed. Just a warning that Opera may not be as fast as everyone thinks!
You can't just use another browser. (Score:2, Informative)
Quick check: how many of you bought something online and actually checked the lock icon? While shopping during Christmas? When you were under pressure to get something done?
This is a human interface architecture [asktog.com] issue, plain and simple. It has nothing to do with IE, nothing to do with SSL or any TLAs and everything to do with the fact that URLs and the web were not designed with security and human interface in mind.
To fix this, we need to transition to a standard way of verifying security. A quick fix to this problem would be to redesign the address bar to actually show the protocol and the host, something along the lines of:
[protocol: http, insecure] [host: www.russianmfia.ru] [user:www.amazon.com] [path:...]
A larger fix would be to transition to a set of protocols and interface standards that establish how a user chooses privacy and security options.
Re:You can't just use another browser. (Score:5, Informative)
http://www.amazon.com%01@malicious-site.com
will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.
In IE, it will show as http://www.amazon.com
That is the flaw. It has everything to do with IE.
Re:Trust, not technology issue (Score:2, Informative)
Personally, I think that if you are getting into sites that are spoofing you elsewhere, you are probably going to bad sites in the first place.
However, IE doesn't help to inform a user in their decision making. In Mozilla, I can get the toolbar to tell me what's behind a hyperlink - so a designer can't pretend it's another address.
Not just IE (Score:2, Informative)
"Though little-used, the tricky URL form is a recognised Internet standard as documented in various RFC documents. For this reason the developers of other browsers, like Mozilla, don't feel they can simply get rid of it. Instead, the Mozilla developers and a horde of kibitzers have spent almost a year and 156 comments discussing what can be done. Right now that effort has got precisely nowhere and Mozilla users are almost as vulnerable as Internet Exploder users to being hoaxed in this way."
Re:Internet Explorer should offer... (Score:2, Informative)
The way to win the battle against runaway popups is to rapidly and repeatedly press the Escape key. The pop-up window will appear, but since Escape is a shortcut for the Stop button, it won't have a chance to load its content (including the script which opens more windows), and you can close it safely.
Re:i knew it (Score:4, Informative)
Re:Microsoft to remove the @ symbol from URLs (Score:5, Informative)
(There's an interesting "discussion" over on Mozilla's bug id 122445 - regarding this, too)
Re:Hah! (Score:4, Informative)
to add mailto: support to Firebird just install mozex [mozdev.org] extension
Re:Hah! (Score:5, Informative)
Firebird: Press ESC
Firebird: has image blocking: right click -> block images from <server name>
Firebird: Ctrl++, or Ctrl+- for smaller fonts
Firebird: No shortcut for default colours yet.
Firebird: Preferences->General->Fonts&Colors
Firebird: By default has `google' as alias for google, but you can do this with anything by assigning alias to sites with %s for the search term, eg:
See above.
Firebird also has type ahead searching. A feature which one can't live without.
Just install MYIE2 (Score:2, Informative)
status bar, win xp (Score:2, Informative)
Whoever wrote this KB article needs to send it to their neighbors in WinXP product development. The status bar is disabled by default in Windows Explorer in XP.
Also, Windows still has "hide known file extensions" option checked by default. So something like annavirus.jpg.vbs looks like a
People, you misunderstand the problem! (Score:5, Informative)
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
and it's incomplete (Score:1, Informative)
oh my, they really are nuts. They can't even write such an article correctly: not only links handling is bogus, but also form posts - you can have this %01 thing in a <form action=...>.
They fail to inform users that they shouldnt push buttons.
Re:They can't be serious... (Score:4, Informative)
That is exactly how MS plans on fixing this problem. Read more here [microsoft.com].
Re:They can't be serious... (Score:5, Informative)
bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 [mozilla.org] is fixed, as will be Firebird 0.8 (due any day now).
Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page [secunia.com].
Re:They can't be serious... (Score:4, Informative)
This one will crack you up even more: Don't use the word "begin" -- use "start" or "commence" instead [microsoft.com]. That's right, the parser doesn't need fixing, the English language does.
It's frightfully for real. How's MS's level of support looking now?
Re:Hah! (Score:2, Informative)
But what about... (Score:3, Informative)
I just received an email the other day, which was worded something like:
Look very closely at that content, and you'll see the subtle exploit in it.
How can John Q. Public or your grandmother be sure of this, without actually viewing and auditing the source of the webpage/email they're receiving? This assumes that some mail readers can actually allow you to view the raw source of the email, to see if it contains any maliscious flaws like this.
If you visit e-qo1d.com in a browser, you'll see the exact exploit it uses. Not to worry, it is relatively safe (unless you are a customer of e-gold.com, and purchase gold online).
This is one example of how these companies are misusing this type of exploit to liquidate people's bank accounts. Nice.
Re:How does it spoof the address bar? (Score:2, Informative)
What adress bar? Have you seen IE lately? (Score:3, Informative)
Typical conversation:
me: "Ok, now go to the adress bar and type the following..."
customer: "Go to the what?"
me: "Ok, do you have a web browser open? It's the program you use to view websites."
customer: "I thought I had you guys."
me: "Yes, now click on whatever you use to view our homepage."
customer: "But I just told you I don't have that anymore all I have is this incredifind.com thing."
me: "That's ok, I'll fix that in a minute, just click on it and open it up."
customer: "Ok, I have the incredifind open. Now how do I get to my internet?"
me: "Ok, do have an adress bar at the top?"
customer: "Wait, there's popups in the way now, let me close them."
(wait 4 minutes to close popups that spawn other popups)
customer: "Ok I can see, you said adress? I don't see that."
me: "Well we want to type in a web page, so do you see a long white bar at the top?"
customer: "Yeah I have 4, let me just type it in this super search one..."
me: "Umm ok let's not..."
customer: "Ok I'm at ultimatelinks.com, what do I click on now?"
me: "Ok let's forget about that for a minute, what do the white bars at the top say next to them"
customer: "Umm.. searchnow, supersearch, fastsearch, quickfind..."
me: "Do any of them say adress next to them?"
customer: "No."
me: "Ok do you have the word adress anywhere in the gray area up at the top?"
customer: "I have file... edit.."(wait 3 minutes to read entire list)
Now, either the adress bar is there and collapsed, and I spend 5 minutes trying to instruct them how to use the mouse to drag it open, or it's not and I try to go through the view menu and turn it on, and spend 5 minutes trying to figure out which options are removed from their menus by spyware hijacks.
me: "Ok fine, hit ctrl+o, does a little window pop up?"
customer: "Yes, you want me to type it in there?"
me: "Yes do that."
customer: "Ok, I'm there but there's a big popup and I can't close it because it has no X."
me: "Ok can you drag it out of the way?"
customer: "How do I do that?"
me: "Ok try just hitting control and the F4 key at the top of your keyboard, does it go away?"
customer: "Yeah. That's neat, I'll write that down. Wait, another popup came up..."
I'm not kidding, this is in no way an exaggeration or parody. While this is not a real conversation in itself, all these things have occured in similar conversations I had on the phone during support calls. And they seriously expect these people to type in URLs? How about making the browser so malicioius programs can't remove or replace the adress bar first?
Re:They can't be serious... (Score:3, Informative)
On my Mac I run Safari, IE, Mozilla and Opera. Opera is the slowest to load, taking five times longer than Safari, despite being half the size. It also renders Opera's own site [opera.com] so slowly as to be unusable - I did a comparison the other day, and Safari rendered the site at least four times faster. Opera even beachballs for half a second when hovering over a link requires re-rendering (as all the links at Opera.com do). The only reason I ever run it is to test CSS comptibility, where it is good - although its JavaScript/legacy DOM support is abominable.
Re:They can't be serious... (Score:3, Informative)
Re:They can't be serious... (Score:5, Informative)
Ah! But there is a google toolbar [mozdev.org] for Moz. Happy switching.
Re:They can't be serious... (Score:3, Informative)
I don't know what "sort-of" means, but Konqueror is in no way affected by this exploit. It displays correct address both in the status bar as well as the URL bar.
Having said that, I did like Opera's feature that popped up that warning. If you get spam in your webmail account some images (in embedded HTML) may come from a server that will authenticate you like that and possibly track which e-mails are being read. If only Opera was able to manage all the ads that some websites throw at it.
Re:They can't be serious... (Score:5, Informative)
When I was using Galeon [sourceforge.net], I would just put a "Search Google" box in my toolbar. (Here's a screenshot with three Google search boxes. Two of them are folded closed to save space [sourceforge.net]). Firebird [mozilla.org] has similar functionality.
For a variety of reasons I switched back to plain old Mozilla, and certainly don't visit Google.com directly. Personally I use a bookmark keywords . I've got "g" mapped to Google, so I just type something like "g galeon screenshots" in my address bar and I get a search for "galeon screenshots" from Google. It's such a handy feature that I've got similar keywords for Wikipedia, Everything2, dictionary.com, FreshMeat, and a few others.
However, if I was only using one search engine, I might use the default behavior build into the address bar. When you type an address in a drop list of suggests appears below. The bottom one is always, "Search ENGINE for 'YOUR KEYWORDS'", where ENGINE is one of the many options you can configure (including Google), and YOUR KEYWORDS are whatever you typed. You just select it and off you go.
If you're really keen on having a search box dedicated to Google, well, besides trying something like Galeon or Firebird, you can install the Googlebar [mozdev.org] (screenshots [mozdev.org]). Personally I'm no longer keen on adding search boxes to toolbars, I want less user interface on screen, not more. Less interface means more space for actual web page.
As a general rule I try to not obsess about what piece of software thinks about my web site or the web sites of others. Knowing PageRanking is certainly amusing, and it may be marginally useful if you're doing professional web work, but is it really that critical?
I'll admit, it's a shame Mozilla doesn't provide it, but it's not really that big of a deal.
Neither have I. It seems a bit odd to co-mingle popup-blocking and searching into a single component, but I guess if it works for you. Mozilla's popup blocking support works great and comes built in to the browser. As a bonus I can also stop sites from doing other irritating things. For example, I've forbidden sites from resizing or moving existing windows or moving windows up and down in the screen ordering. If you're sick of sites doing stupid crawls in your status bar or hiding the real destination for links you can just click "Allow scripts to...Change status bar text."
Tabbed browsing has never been about resources; that you think it does shows a serious lack of understanding about modern web browsers. Every major browser (including IE and Mozilla) will only run one copy of the program, regardless of how many windows you have open. Tabs are not significantly more efficient than windows.
Tabbed browsing is about organization. The task bar works fine, but it doesn't scale. If you've got 20 windows open you've just got twenty little teeny icons with almost no text. XP's grouping helps, but all of the web browser windows get lumped together. A typical use case would be to have a window open to a web email site, another window reading a list of bugs assigned to me and a bunch of tabs for individual bugs I'm loo
Re:How does it spoof the address bar? (Score:3, Informative)
If you use the direct link (as phishing scams always do), it shows up as "msie.microsoft.com" in the preview area too.
I'd be interested to know how SP2beta handles a direct link; I've read that it breaks javascript redirects under some conditions, but it's not clear that a direct link wouldn't still be displayed incorrectly.