Microsoft Advises to Type in URLs Rather than Click 984
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
Trust, not technology issue (Score:2, Insightful)
Easier way... (Score:2, Insightful)
use another browser...
There are plenty of options available on the market
If you don't like OSS, for religious, political, or other reasons, one can always Opeara.
Otherwise Mozilla, Firebird, Konqueror, and others come to mind
How About.. (Score:5, Insightful)
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
Re:Watch the status bar! (Score:2, Insightful)
What about .... (Score:4, Insightful)
Re:Easier way... (Score:5, Insightful)
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".
Re:Homograph attacks might bite us all (Score:5, Insightful)
So it's upto the browser makers to take action if this is really a security risk.
The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.
This is great ... (Score:3, Insightful)
My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.
It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.
Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)
Anyway, end of post.
Re:Homograph attacks might bite us all (Score:5, Insightful)
-MT.
Re:Homograph attacks might bite us all (Score:5, Insightful)
I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.
For example: the number of Chinese internet users [technewsworld.com] went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).
In that case, a general "block" on multilingual domains in the address bar won't work.
They can't be serious... (Score:5, Insightful)
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
Re:Turn off Javascript, turn on the status bar (Score:2, Insightful)
While it is true the IE is the holiest browser currently available, it also has an immense amount of incorrectly implemented features. Maybe I should start over...
IE has support for a large deal of things I wish were standard. However, too many internet bodies can't make decisions and standards are simply corrupted leaving Microsoft to run around generating their own sudo standards. As far as web development goes and building high quality, web-based applications (trust me, the backend to all sites I work on are served by one the last servers VA's sold) IE simply offers more flexability, creative applications, and...well, a larger userbase [doctor-html.com]. While the application is inheriently flawed, the theory and principals are good and would only furthur extend the realm of creative outlets if there was one standard.
I don't suffer because I use IE or develop sites that don't run in Opera. I suffer wasting time making sure the stripped down version of these sites work in Mozilla.
Time is money; I don't have either.
Re:Microsoft to remove the @ symbol from URLs (Score:5, Insightful)
-----
You are entering www.thewebsite.com while using this login information:
User name: blah
Password: foo
Proceed?
[ Yes ] [ No ]
-----
Absolutely hysterical (Score:5, Insightful)
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
Re:Homograph attacks might bite us all (Score:3, Insightful)
The whole point of Unicode is that it _is_ one charset for everything. I personally think that Unicode, especially UTF-8, is an even better invention than sliced cheese, and should be used anywhere and everywhere.
True, this is not going to stop attacks involving spoofed URLs, but trusting URLs is bad from a security viewpoint anyway. What to think of misdirecting surfers with malicious DNS responses? Or man in the middle attacks, or IP spoofing? Assymetric key cryptography is a pretty reliable authentication mechanism, I vote for using that.
Users don't know (Score:2, Insightful)
They don't usually know what a browser is, let alone that there is more than one browser out there, and when they read stories about viruses and how clicking on things can make your computer infected, they see microsoft as a victim.
As far as they are know, Microsoft is the company that makes the things on their computer, and they know that MS is a really clever company that makes really good programs and that if they find anything wrong with those programs, they don't think that microsoft should have fixed it, or designed it differently like we do, no, they just think that they shouldn't be doing whatever it was they wanted to do that way.
Honestly, I know so many people that don't know the difference between Windows and Office - they think that all computers come with the thing for writing letters and the thing for making spreadsheets and the thing for sending email and the thing for the internet, and any time a new virus comes out, they talk about how horrible those virus writers. I read a letter to pc world magazine just a few months ago where someone was praising microsoft for all the hard work they're doing to defeat the virus writers!
So asking for these sorts of people to 'use a different browser'.... you may as well tell them to please speak in a different language when they come back from lunch because there's a problem with English. Most people wouldn't know where to begin.
Re:Homograph attacks might bite us all (Score:5, Insightful)
Re:Easier way... (Score:2, Insightful)
How many times have you miss-typed URLs only to find that you've gone to some unfortunately placed advertising site (google is a good example). Clearly this is also a problem, since you (well at least I) assume that my typing is perfect the problem still exists. It just seems to me that this has been moved to another area.
I know that I am slightly missing the point, but cume on microsoft, address the problem!!!!!
if (Score:2, Insightful)
does this actually acomplish anything?
if i get a url like http://www.cnn.com@www.schnits.org/?comments=foo3 or whatever...and this is copy/pasted through manually copying each character with myself... isn't the conclusion of this story the same as if i were to have just clicked on it? microsoft's advice accomplishes absoluteley nothing!
and anyway...99% of the time i'm perfectly content with elinks.
{Bull} Re:Trust, not technology issue (Score:2, Insightful)
Oh give me a break. A "trust issue" in the security world means determining the extension of capacities and freedoms based upon predominately social concerns. I can allow a group password to my database, but who should be permitted into the group, etc.
Assuming that a link will take you to where it advertises is a basic expectation on the Web, not an extention of trust. IE apparently is unable to meet that expectation. To treat this as a trust issue is akin to blaming the patient for the doctor's mistake.
Re:i knew it (Score:3, Insightful)
Re:Turn off Javascript, turn on the status bar (Score:4, Insightful)
Re:Alas, some of us have little choice. (Score:3, Insightful)
In my not-so-humble opinion, diversity is "better" than any fixed no-questions-asked policy. So for the same reasons I dislike being forced into using IE as my browser at work, I'd prefer not to have a choice of any browser as long as it was Mozilla.
In a large organisation, this is probably too hard to deal with, hence the more restrictive SOE. I can't understand why saying "this is the install we give you; you can install whatever you like as long as (a) you support it and (b) you don't break copyright law or any licensing issues" is so difficult, especially in a company primarily focused on engineering.
Then again, I refer back to my original statement about some people and their inability to comprehend that clicking unknown links is bad, and -- combined with some employees' propensity to blame anyone but themselves for a foulup -- perhaps there is a reason for an overly-restrictive SOE.
That would be the managing director of said company's national operations. Due to extreme twists of fate and some "very good" politicking on the part of our IT dept's manager, they've ended up at the top level of the organisation. For all that they don't seem to have much success at running a stable & reliable network with happy users and an open mind to change, they're incredibly good at making sure things go exactly the way they want them to.In the past, attempts to change the policies and/or alter the SOE have been unsuccessful, even if a "must win" project or technical reason on a subproject requires it, and even if every trick on how to get the change you desire has been followed, simply because of this fact. For this reason and this reason alone, most of the major projects create their own "mini-IT-department" with it's own infrastructure, network, cabling, and computing equipment. Hardly efficient if you ask me.
Ultimately, because of this "system", IT even get off the hook for problems that are essentially of their own causing, such as major system outages caused by various worms, which had patches available literally months before the worm became known.
Re:Mozilla may be misleaded as well! (Score:1, Insightful)
It also displays the correct URI (even for pages on the same site) in the status bar, all the relevant properties dialogs and when copying the link location.
Re:Hah! (Score:4, Insightful)
I can't think of anything wrong with the way Firebird handles mailto URLs. Firebird certainly handles them better than Mozilla Navigator -- Firebird opens them in your default mail program, while Mozilla Navigator always opens them in Mozilla Mail.
Re:Turn off Javascript, turn on the status bar (Score:1, Insightful)
Re:Alas, some of us have little choice. (Score:3, Insightful)
People click it -- which that particular bank tells you not to do, since they make it a policy of sending material regarding accounts of any kind, out on paper only -- and enter their details. Whee, within a day their accounts are empty.
Sure, 99.99% of the time, clicking links is harmless. Heck, that's what they're there for. It's the remaining 0.01% of the time which poses the problem, and it was indeed that 0.01% of the time I was referring to.
Re:Absolutely hysterical (Score:2, Insightful)
Actually, she's only expected to be a JavaScript programmer.
.
.
.
.
No, I don't know whether that's funny or sad.
Re:Alas, some of us have little choice. (Score:3, Insightful)
I just do what I need to at work, and the rest of my browsing, banking etc can wait `till I'm at home.
Re:You can't just use another browser. (Score:3, Insightful)
Ah! The joyous sound of yet another microsoft apologist.
If the user is dumb as a brick and cannot see something funky with the URL - that's the users problem.
If Microsoft SCREWS the URL so royally that it looks perfectly normal that's Microsoft being the mass producer of crap software and failing to patch it.
How are either of those examples of bad software in Firebird?
Liar Liar Pants on Fire (Score:4, Insightful)
I just did, Firebird 0.71 on XP.
Every URL clearly shows the correct site it's going to in the statusbar when I mouseover.
Yeah you faked it by putting your entire site in a whole-page frameset, but that's cheating - as opposed to showing a major security flaw and violation of the standards (which in this instance Microsoft is clearly admitting but flat out failing to fix).
Re:i knew it (Score:2, Insightful)
Short answer: No.
Long answer: Semantics basically means meaning. In almost all cases, if the link text in a page was not link text (i.e.: if all the href attributes were removed) it would have the same meaning. Likewise, I could add links for further information in anything I write like I could link to a definition of semantics in this post and it would not change what I was saying.
Also, If the link is citing a source then it should be in a cite element so you cannot arguing that the a elements purpose is for citing.
In an ideal standard world... (Score:5, Insightful)
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Almost (Score:5, Insightful)
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
Also mozilla (Re:They can't be serious...) (Score:3, Insightful)
Perhaps same reason than why mozilla do not do that filtering?
the status bar (Score:2, Insightful)
in every win xp i use, i always have to specify i want the status bar.
also longhorn screenshots show that status bar is hated by microsoft look designers.
the average user should be then informed about:
- "right-click" on the link
- select "copy link address"
- paste in address bar
-
- profit
i think it is not easy to explain.
let the status bar survive!
greetings,
ppp
p.s. i vote for firebird. best on linux and win. but camino on osx.
Windows can be secure (Score:5, Insightful)
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Why IE and Outlook are still so widely used... (Score:3, Insightful)
Outlook is less easy to replace... I've a target platform of XP, and need to interact with an exchange server. While I hate the clunky configuration, gaping security flaws and slow bloated memory-hogging Outlook, I have to admit that I find Word a very effective productivity tool when writing prose - even though it is a sledgehammer to crack a nut. I only want to send ASCII mail, but I want real-time spelling and grammar checking. When will open source catch up on this front?
Links change the meaning of the text (Score:3, Insightful)
In almost all cases, if the link text in a page was not link text (i.e.: if all the href attributes were removed) it would have the same meaning.
I've seen your "almost all" shrink. Some blog authors write in a style reminiscent of Wikipedia [wikipedia.org], Everything 2 [everything2.com], and the like, whose pages gain some of their meaning from what their words link to. For example, "dumb MF" means one thing, but "dumb MF [georgewbush.com]" means another thing, namely "dumb MF, one example of which is President Bush".
Re:They can't be serious... (Score:2, Insightful)
Which exploit exists in Mozilla? Is it in Bugzilla?
Depends what you define to be "exploit".
There is
/ Kari Hurtta
Re:i knew it (Score:3, Insightful)
Maybe there's a point here (Score:3, Insightful)
But then I thought of a third possibility: even though this class of exploits may be fixable in future versions of IE, there are plenty of people who are running older versions of Windows with older versions of IE. Even if Microsoft's commitment to secure computing is genuine, there may simply not be enough manpower to go back and fix every version of IE for any new security fix that comes along.
I see two classes of people benefitting from this KB article: those who are still running ancient versions of Windows on their old PC's, and those in a corporate environment where the IT department locks down their PC's to use only older, tested versions of Windows (and IE). In either case, even if Microsoft were to provide patches for every version of IE, the chance that the patch would actually be applied is slim.
Of course, the probability of these users actually encountering this KB article in the course of their daily websurfing is also slim, but we'll let that slide for the moment...
Re:Windows can be secure (Score:5, Insightful)
why don't people see that this is a MAJOR FLAW with the OS?
the majority of home PC users are not slashdot geeks and simply don't have the time, and shouldn't have to worry about this sort of stuff.
the whole founding principle of a home PC is that joe somebody is empowered to pursue his lifelong dream of starting a small business and can focus on producing/selling/etc. without having to be a mainframe technician on top of it. at what point does the amount of required fixes/patches/workarounds make a device cease being a tool and become a liability instead?
sally middle-school teacher should be able to check her email without 5 service packs.
bill janitor should be able to boot up a computer and check a sports score without being decieved by a major browser flaw into installing 16 trojans and zombie-fying his machine.
the folks at redmond have forgotten so utterly and completely that the original idea of a computer was to help people that it's mind boggling.
one of the most satisfying things in software dev can be watching someones day become markedly easier b/c of something you worked on.
microsoft has become the antithesis of that.
Re:Windows can be secure (Score:3, Insightful)
Re:They can't be serious... (Score:2, Insightful)
If Mozilla can fix it, why can't Microsoft??
STFU about not using IE at least with this senario (Score:4, Insightful)
If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.
Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.
I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
Re:They can't be serious... (Score:3, Insightful)
http://www.microsoft.com:8080?product+activatio
That says:
Warning:
The link you have just clicked will take you to:
Website: 1.2.3.4
Port: 56
It will log you in with the account:
User: www.microsoft.com
Pass: 8080?product+activation
Is this what you intended?
[ OK ] [ CANCEL ]
Make it an option like all the other security warnings so you can ignore all such URLs, prompt (which gives the above prompt) or give no warning at all, which is what it's like now.
Would this not be a useful feature, if it was set to 'prompt' by default? It would certainly help folks realize just where they're going, especially those who have no idea how to read a URL like that...
XHTML = DOA (Score:5, Insightful)
Any solution that relies upon millions of people changing their behavior is dead on arrival.
Re:XHTML = DOA (Score:3, Insightful)
Modern HTML- XHTML, stylesheets, etc is much harder for them to understand. They don't want abstractions and classes- they don't get them. They want <tag>text<\tag>. These features make things nice for professional designers- at the cost of everyone else. I guess if your goal is to increase job security by making it hard to do, you love it. If your goal was like that of original HTML- to make an easy to use markup language for the masses, the new standards all utterly fail.
TYPING LINKS DOESN'T PREVENT THE BUG (Score:3, Insightful)
Has anyone received any of those "www.e-qo1d.com [e-qo1d.com]" fraud emails?
Try clicking the link. It does the standard URL spoofing.
If you select the address and retype it (so long as you don't type a "/" at the end), you will remain at the scammer's website.
So really, when they say "don't click; type the link" they mean:
1) Click the link, so you can find out what the URL is.
2) Open a whole new IE window and retype the link. The IE window you have already opened is poisoned.
Who has control? (Score:4, Insightful)
It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.
Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).