Microsoft Advises to Type in URLs Rather than Click 984
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
I use Firebird. (Score:3, Interesting)
9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.
Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement
FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.
The moral of the story is that you can't trust Microsoft products.
Re:Hah! (Score:5, Interesting)
Firebird seems lacking in a few things for now.
Homograph attacks might bite us all (Score:5, Interesting)
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL
into the address bar may be one that we should all take to heart in the
future.
As pointed out here [technion.ac.il], the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com [microsoft.com] with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank [rabobank.nl], features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
Re:Hah! (Score:5, Interesting)
Also if you can also educate others into non-IE browsers that will help marketshare and make more sites develop to the standards and not to MS only HTML/JS. Although to be honest I know of very few IE only sites, and I never need to use them anyway, YMMV.
Internet Explorer should offer... (Score:5, Interesting)
type THIS dude !!! (Score:1, Interesting)
http://groups.google.com/groups?dq=&hl=en&lr=&i
or even better type your own knowledgebase urls for sure
http://support.microsoft.com/search/default.asp
jeeebuz, Microsoft! -> get fucking lost !!!
Alas, some of us have little choice. (Score:5, Interesting)
Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...
So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank [anz.com]...
ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.
Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.
Re:How About.. (Score:5, Interesting)
damn, no kidding.
i design web sites for a living. there's nothing worse than getting a web site looking just the way you want, then running a W3C CSS and HTML validator and having everything check out 100 percent.
Re:Hah! (Score:2, Interesting)
I've been using it for some months now, and I find it extremely stable and fast.
(Version 0.7 on Windows XP)
- Erwin
Forms? (Score:2, Interesting)
Do you have any suggestion how to deal with web-forms? Especially those using POST method?
Sincerelly yours ...
... and SSL will still work (Score:5, Interesting)
https://ϲоmmоnwealthbank.com.
(may not display properly - whatever, you get the picture)
and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.
Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.
Re:Microsoft to remove the @ symbol from URLs (Score:3, Interesting)
To quote
In section 3.1 of the same document, it does allow usernames and passwords for the "Common Internet Scheme Syntax" but http and https do not belong to that category, which is why it is handled seperately within the same document.
So while it may be a generally accepted practice it isnt a standard.
Re:They can't be serious... (Score:5, Interesting)
Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.
Plus on
Re:They can't be serious... (Score:2, Interesting)
What would a non-vulnerable browser do, block all http authentication?
You're an idiot.
Use colors (Score:4, Interesting)
1. Display something for EVERY byte in the URL! (this is Microsoft's main problem). The only character that could plausably display as a blank area is the byte with the value 32, and even that could show an underscore or something. If "%0102" is in the url, show the characters '%', "0', etc. And obviously the text "%00" in the url should not cause the rest to disappear. In case you think only Microsoft is stupid, Unix software often displays '\n' characters as breaks making multiple lines, in Mac's Safari this makes those spoof URL's display almost as badly as IE.
2. Display all non-ascii characters in a different color. Please ignore the probably loud Politically Correct crowd that will say you are demonstrating anglo-centric bias, those same people kept UTF-8 from being adopted for over 12 years (since it is obviously a bias to have westerners have the shorter characters) and actually hurt i18n far more than the most ignorant midwestern Cobol programmer did.
3. Display as much of the URL that corresponds to a site you have visited before in a different color. Ie similar to showing a visited link a different color in the page, show the preview of the URL with the hostname and leading directory levels colored that match some URL you visited before. Then, assumming you visited your bank once, the fake bank address will be noticable by not being colored.
Re:Hah! (Score:5, Interesting)
Examples would be things like plugins and things from mozdev.org that don't work, preferences that are not present in Firebird, etc.
Firebird is going to be a wonderful browser, it's already a very good browser, I just don't feel it's ready for (my) usage yet.
Re:Don't use IE? (Score:3, Interesting)
Visit that link in IE and see where it takes you. You might be surprised. I'd have just linked it, but
My other post [slashdot.org]
Re:i knew it (Score:5, Interesting)
IMO, as XHTML 2.0 is meant to be non-backwards-compatible, they should use the a element for the functionality of the acronym and abbr elements.
Re:They can't be serious... (Score:3, Interesting)
I have tested my browser (Mozilla Firebird) against all the spoofing bugs I can find and it is not vulnerable to any.
Re:Hah! (Score:3, Interesting)
Opera is fast, but Firebird is faster still, it renders pages better than Opera does. Another plus is SOCKS support which Opera does not (or did not?) have.
Firebird comes with less options than Opera basically, but so many add-ons exist, like the mouse gestures.
And if you have a small screen with a resolution that is not higher than 1024*768, Firebird gives far less space for its toolbars, leaving more for the pages.
Re:They can't be serious... (Score:5, Interesting)
Re:They can't be serious... (Score:5, Interesting)
i totally agree with you about the absurdity of the whole situation. however, i will admit that i know someone who will follow these instructions to a tee. my roommate refuses to listen to anyone when they recommend using an alternate browser [firebird, mozilla, and opera have all been suggested numerous times by numerous people]. instead i get to sit there and laugh at him while he bitches about popups, security holes, and having to copy/paste links into notepad to make sure they really go somewhere he wants to go. i truly get the feel that some people purposefully put themselves through pain to try to make a point. what that point is, however, is totally lost on me...
ulitmate defeat (Score:5, Interesting)
1) we (Microsoft) know what a bad url is
2) we (Microsoft) assume that you may know what a bad url is
3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
4) we (Microsoft) give up trying to teach IE what a bad URL is
5) hence we (Microsoft) ask you to please take care and avoid bad URL links
Re:They can't be serious... (Score:2, Interesting)
A quick look at the debate resulting from this book leads me to believe if Microsoft made cars today they'd be like the Chevrolet Corvair [corvaircorsa.com].
Actually Windows 2 is very much like the first run of the Corvair. The problems in Windows 2 were minnor at best but needed to be addressed in any case. While Chevrolet took the problem sereously and fixed it Microsoft would first blame the writers of Windows apps then clame the problem was in all operating systems. The famous problem is the memory leak.
At first a minnor nussence but the leak got worse with each new version of Windows.
Microsoft finnally addressed the problem when they made Windows 95 and declaired it fixed. But it wasn't and the memory leak was bigger than ever. Other problems were found in 95 as well making it the most buggy version of Windows at the time of its release this in spite of the hype of a bug free Windows 95. The first bug found was more of a feature left on by default.. letting anyone hijack any given Win 95 box. The first security bug in Windows and for the time the only security bug in any "desk top" operating system.
By the way I found this [vex.net] to be quite intresting.
As always you can find more information with Google [google.com].
Re:normal people (Score:1, Interesting)
That's why you have the shortcut link to MozillaFirebird/Mozilla/Opera/Whatever but use the IE icon.
People still click what they know, but get a better browser to come up.
Re:They can't be serious... (Score:5, Interesting)
Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.
"People" do weird things sometimes - a large number of people went to the theater and paid perfectly good money to see 'Gigli' for example. I think it's incredibly weird that people still use IE even without the security problems, given that there are a number of faster, better-featured browsers available free for downloading. But "people" tend to move in flocks. All it would take would be a large enough catalyst, and I think there would be a mass migration.
Is this it? No. People are stupid - they won't switch because they should switch. People won't switch until they come to a roadblock: they want to do something and they find they can't. Even if every IE user were to see this KB entry, 99.9% would ignore it, and they'd blame "hackers" if they got hit by the vulnerability, not MS or IE.
If people get exposed to and get used to better browsers, though (corporate IT gets tired of trying to teach users not to click on things, for example), they'll get used to tabbed browsing, native popup-blocking, their BenJen browser theme, etc., then find they can't do the same at home with IE... they'll switch.
If IE were almost as good as Opera or Firebird, you'd be right about it being nigh invulnerable. It just isn't, though.
Re:They can't be serious... (Score:2, Interesting)
Re:They can't be serious... (Score:2, Interesting)
Re:They can't be serious... (Score:3, Interesting)
Perhaps that link doesn't go where you thought it did?
Re:They can't be serious... (Score:2, Interesting)
Old news (Score:3, Interesting)
Secondly, you can get 90% of the effect in any JavaScript-enabled web browser by using a mouseover in the status bar. That's not as bad as spoofing in the URL bar, as IE does, but it would likely fool far more geeks than would care to believe it.
You see, humans have lazy eyes and creative brains. The eye can only focus on a small area (which is why eye tracking allows psychologists to tell what word someone is reading) and yet we think we can see everything all at once. Peripheral vision is very good at detecting motion, which compensates quite well in the natural world. However, when a GUI element changes in a predictable way (e.g. the URL changing in the URL bar), our brains tend to be lazy at fact-checking and just fill in the blanks. Thus, even geeks like myself who use the URL bar extensively won't look when we think we know what's there.
There was an interesting usability study once regarding how often people use the status bar in Office-type programs. During the test, at random intervals, a message showed up in the status bar which said something like "There is a $20 bill on the bottom of your chair. If you see this message, you can take the bill." Not a single one of the test subjects took the money.
--
Friendster has a new direction. [leppik.net]
What's the motivation to use XHTML... (Score:2, Interesting)
Money. Or rather, saving it. XHTML+CSS designed websites are faster, and smaller (often in terms of many kilobytes). When you're dealing with a site that gets the volume of traffic that a site like this one [slashdot.org] gets (quoted at ~20 pages served per SECOND), the bandwidth savings are huge.
While we're on the topic of /. and web standards... Rob and co. really should look into updating. Check out A List Apart [alistapart.com] for a detailed [alistapart.com] analysis [alistapart.com] on how they could feasibly to go about doing this.