Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Advises to Type in URLs Rather than Click

CowboyNeal posted more than 10 years ago | from the tedious-surfing dept.

Internet Explorer 984

spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


i knew it (5, Funny)

jester42 (623276) | more than 10 years ago | (#8133062)

i always knew that those hyperlinks were a bad security problem. Web designer should really avoid those propietary 'href'-tags for security reasons.

Re:i knew it (5, Funny)

beda (158888) | more than 10 years ago | (#8133160)

You are right, gurus use 'a'-tag instead, with 'href' as an attribute.

Re:i knew it (0)

Anonymous Coward | more than 10 years ago | (#8133178)

I think is a good suggestion since that is the only way that newbies wouldn't fall for the spoof e-mails. Paypal..ebay etc. It doesn't only apply to the vulnerability because the attacker could also register similar domains (paypal,ebay etc..) and still be able to collect the information.

They can't be serious... (5, Insightful)

zoney_ie (740061) | more than 10 years ago | (#8133210)

How on EARTH did someone write this KB article without cracking up. Are they for real or what?

I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...

Yeah, right. I can't get over this article - it's nearly like a spoof or something.

I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.

Good idea! (1)

graveyardduckx (735761) | more than 10 years ago | (#8133063)

Let's implement features and advise against using them! Pure marketing genius! It's like buying a ferrari but not driving it! Well... it's IE so maybe a bicycle.

Re:Good idea! (0)

Bu Na Dan (575203) | more than 10 years ago | (#8133103)

well, buy a computer with windows preinstalled, but use another os - i think we are already used to do so?

Turn off Javascript, turn on the status bar (1, Informative)

dkf (304284) | more than 10 years ago | (#8133066)

Like that you'll at least always see where the link is going before you go there.

Re:Turn off Javascript, turn on the status bar (5, Informative)

linuxci (3530) | more than 10 years ago | (#8133094)

The point is there's a bug in IE that even with JavaScript turned off people can give the impression that you're going to a different URL than you really are, the worst thing is it also affects the address bar. Be safe, don't use IE

Re:Turn off Javascript, turn on the status bar (5, Informative)

teledyne (325332) | more than 10 years ago | (#8133154)

But it still doesn't make sense. Some secure sites have a feature that requires a referrer link when you access different pages. If you type in a URL, there is no referrer link, and so in that case, you might not be able to access that site.

On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.

Re:Turn off Javascript, turn on the status bar (2, Insightful)

NewWaveNet (584716) | more than 10 years ago | (#8133226)

If you're not using Mozilla Firebird you're not surfing the web you're suffering it

While it is true the IE is the holiest browser currently available, it also has an immense amount of incorrectly implemented features. Maybe I should start over...

IE has support for a large deal of things I wish were standard. However, too many internet bodies can't make decisions and standards are simply corrupted leaving Microsoft to run around generating their own sudo standards. As far as web development goes and building high quality, web-based applications (trust me, the backend to all sites I work on are served by one the last servers VA's sold) IE simply offers more flexability, creative applications, and...well, a larger userbase [doctor-html.com]. While the application is inheriently flawed, the theory and principals are good and would only furthur extend the realm of creative outlets if there was one standard.

I don't suffer because I use IE or develop sites that don't run in Opera. I suffer wasting time making sure the stripped down version of these sites work in Mozilla.

Time is money; I don't have either.

fpfpfp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8133067)


Re:fpfpfp (4, Funny)

radicalskeptic (644346) | more than 10 years ago | (#8133084)

Damn, if only you could have clicked the "reply" link instead of having to type the URL in in manually for security reasons, you could have gotten first post. Curse you, IE!

Hah! (5, Funny)

DarkHelmet (120004) | more than 10 years ago | (#8133068)

I have a suggestion that's not in the Knowledge Base: don't use IE!

Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...

Install Linux.

I hear you can buy a copy of it for around $600 somewhere [sco.com].

Re:Hah! (1)

akuma624 (690011) | more than 10 years ago | (#8133082)

What is the best browser for MS platform?? Mozilla, Opera,?? Let a brother know.

Re:Hah! (3, Informative)

Skyfire (43587) | more than 10 years ago | (#8133095)

Firebird [mozilla.org] is definitely the best.

Re:Hah! (5, Interesting)

byolinux (535260) | more than 10 years ago | (#8133110)

Firebird will be, but until then, vanilla Mozilla [mozilla.org] I'd say.

Firebird seems lacking in a few things for now.

Re:Hah! (2, Interesting)

EJB (9167) | more than 10 years ago | (#8133222)

Not to start a flamewar or anything, but what's wrong with Firebird now?

I've been using it for some months now, and I find it extremely stable and fast.

(Version 0.7 on Windows XP)

- Erwin

Re:Hah! (4, Informative)

Bish.dk (547663) | more than 10 years ago | (#8133108)

What is the best browser for MS platform?? Mozilla, Opera,?? Let a brother know.

Mozilla Firebird [mozilla.org] is a lean, mean browsing machine. Highly recommended. Remember not to click the link if you're in IE!

Re:Hah! (5, Funny)

The Fink (300855) | more than 10 years ago | (#8133224)

Oooh! I get it now!

This is all a big ploy, by Microsoft, to prevent "their" customers clicking on links which might take them to competitors' products. Sneaky! It might even be patentable!

What'll they think of next?

Re:Hah! (5, Interesting)

linuxci (3530) | more than 10 years ago | (#8133120)

Personally I'd say Mozilla Firebird [mozilla.org] but it's a matter of preference. The Mozilla [mozilla.org]'s are free and Opera [opera.com] is free if you don't mind a banner ad (or pay them for the ad free version), so just download them all and give them a go, they all have their good points. But one thing, if you do use Opera, please go into preferences and stop it 'Identifying as IE' that doesn't help people with flawed stats programs realise people are using alternative browsers.

Also if you can also educate others into non-IE browsers that will help marketshare and make more sites develop to the standards and not to MS only HTML/JS. Although to be honest I know of very few IE only sites, and I never need to use them anyway, YMMV.

Re:Hah! (4, Informative)

RAMMS+EIN (578166) | more than 10 years ago | (#8133171)

I see others have recommended Mozilla Firebird. It's a great browser indeed, and open source.

However, I recommend Opera [opera.com]. It's small, fast, very standards-compliant, and has lots of nice features that make browsing the web just a little more comfortable. Examples:

Don't want to wait for those graphics to load? Press G to stop loading them. You can selectively view some images if you need to.

Can't read the fonts? Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible. Don't like the default stylesheet? Don't worry, you can change it.

Type g litigious bastards [sco.com] in the address bar to search for litigious bastards [sco.com] on Google.

Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.

I don't like mouse gestures, but some people love them. Opera does, too.

Etc, etc.

It's a pity Opera on Linux keeps crashing. On Windows, it's great, though.

psssssst! (1)

eclectro (227083) | more than 10 years ago | (#8133186)

Install Linux

I hear you can buy a copy of it for around $600

I have a copy and I will let you pirate it off me for only $10 s&h.

Don't tell anyone. It'll be "our little secret".

Type this link! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8133070)


GOATSE!! DO NOT TYPE!!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8133083)

Warning: parent post contains link to the infamous "goatse" photo.

Watch the status bar! (0)

Knight55 (742458) | more than 10 years ago | (#8133073)

I don't click to a 4 letter URL if I can't even see the full address in the status bar. Damn affiliates too.

Re:Watch the status bar! (2, Insightful)

jester42 (623276) | more than 10 years ago | (#8133122)

But the bug in ie is that i can make any URL look like a 4 letter URL in your status bar.

Trust, not technology issue (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8133075)

This is a trust issue, not a technology issue.

Re:Trust, not technology issue (1)

WhodoVoodoo (319477) | more than 10 years ago | (#8133125)

Oh man, you are so completely correct.
And I do believe the issue is to not trust Microsoft (to write decent, not great or even good, but merely servicable software)

Easier way... (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8133076)

I didn't really read the article, but I am pretty sure that one option slipped their mind, whomever wrote it.

use another browser...

There are plenty of options available on the market :)

If you don't like OSS, for religious, political, or other reasons, one can always Opeara.
Otherwise Mozilla, Firebird, Konqueror, and others come to mind :)

Re:Easier way... (5, Insightful)

BenjyD (316700) | more than 10 years ago | (#8133138)

Then you have to fight the bizarre built-in pro-Microsoft stance of pretty much any non-techy computer user. I swear MS are putting something in the water.
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".

Re:Easier way... (1, Funny)

This is outrageous! (745631) | more than 10 years ago | (#8133241)

I swear MS are putting something in the water

...corrupting our bodily fluids. I first realized that, Mandrake, during the act of love. Small and flabby. It has to be micro soft!

Why go half way? (5, Funny)

Snosty (210966) | more than 10 years ago | (#8133080)

I say go one step further for ultimate security and telnet to port 80.

Re:Why go half way? (0)

Anonymous Coward | more than 10 years ago | (#8133205)

Right...let be more effective...lets all switch to MINITEL !

Re:Why go half way? (0)

Anonymous Coward | more than 10 years ago | (#8133243)

No, no. To risky. SSH to port 80 to enable encryption! ;-)

Re:Why go half way? (1, Funny)

shird (566377) | more than 10 years ago | (#8133246)

Shouldn't that be port 443 (https) for maximum security? Of course, doing 2048 bit crypto in your head isn't the easiest of things.

Better solution (5, Funny)

CaptainAlbert (162776) | more than 10 years ago | (#8133081)

Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you [userfriendly.org]!

Re:Better solution (4, Funny)

Mork29 (682855) | more than 10 years ago | (#8133097)

E-mail? You must be crazy... Just stick to messaging the fokes on your local BBS. I just got done downloading this kicking game called Lemonade Stand!

Re:Better solution (1)

Surazal (729) | more than 10 years ago | (#8133182)

E-mail? You must be crazy... Just stick to messaging the fokes on your local BBS. I just got done downloading this kicking game called Lemonade Stand!

At first, I thought this was just a lame joke, but then I realized this poster, one Mork29, has just allowed me to relive one game title I devoted endless hours of my childhood to.

Lemonade Stand.

Sadly enough, it wasn't even on my computer. It was on a neighbor's computer. I watched him play it most of the time. Bastard.

Good times, good times.

Lemonade Stand. Sheesh...

Re:Better solution (5, Funny)

Mr_Silver (213637) | more than 10 years ago | (#8133127)

Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you [userfriendly.org]!

I followed Microsoft's advice and typed in your address but all I got was the MSN search engine telling me that the domain "fax the webpages" doesn't exist.

Re:Better solution (1)

AndroidCat (229562) | more than 10 years ago | (#8133209)

That cartoon leaves out a few steps that must be followed for proper business faxing procedure:

1. Print out copy of web pages.
2. Make photocopy of printout for individual's files.
3. Fax printout.
4. Put printout in department client files.

I wish I was kidding, but that was the SOP in one place 1990ish. (Except that there was no web to print back then, details!)

How About.. (4, Insightful)

thesupraman (179040) | more than 10 years ago | (#8133086)

They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?

Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!

Or is that just too obvious?

PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?


Re:How About.. (4, Interesting)

golgotha007 (62687) | more than 10 years ago | (#8133192)

What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

damn, no kidding.

i design web sites for a living. there's nothing worse than getting a web site looking just the way you want, then running a W3C CSS and HTML validator and having everything check out 100 percent. ...then to check the site with IE. holy crap, my PNG files aren't transparent anymore? what are all these extra spaces all over the place? why does the site now look so shitty?

Re:How About.. (0)

Anonymous Coward | more than 10 years ago | (#8133199)


[off topic] Re: MS IE support of CSS (1)

hany (3601) | more than 10 years ago | (#8133236)

PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?

IMO yes, it is broken intentionaly, but I did not saw the source code nor question the programers of that software so ... as alredy written: IMO [In My Opinion].

In other news: secure banking (5, Funny)

VEGx (576738) | more than 10 years ago | (#8133090)

In other news M$ advices all online banking users to walk in to their nearest bank office to secure their online banking...

riight (1, Funny)

WhodoVoodoo (319477) | more than 10 years ago | (#8133091)

"okay, instead of patching our crap that you paid for, just don't use these featrues. That's right, they're bugs, not features! But we won't patch them for numerous unspecified reasons."

"By the way, you knew it wouldnt be anywhere near secure when you bought it. Remember lovebug? eh? Oh, we're better than linux/bsd/unix/sunos/macos for numerous unspecified reasons."

--an open letter from MS (well, at least they could have the courtesy to tell us directly they're ridiculous)

*sigh* we're all screwed.

uhh? (4, Funny)

aarku (151823) | more than 10 years ago | (#8133092)

Is it just me or does the title of the article read:

Eight-hundred-thirty-three-thousand-seven-hundred- eighty-six Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks

CLIE? (5, Funny)

mattjb0010 (724744) | more than 10 years ago | (#8133098)

Microsoft Advises to Type in URLs Rather than Click

So now MS is promoting a return to command line interfaces?

And people say linux is hard to use (0)

Anonymous Coward | more than 10 years ago | (#8133104)

With these recomendations Linux jumps lightyears ahead in usability ;)

I am pretty sure my grandma would rather click the link in Firebird, than type it herself.
I think the javascript option is also out of the question for her...

Nice workarounds...

I use Firebird. (2, Interesting)

Noryungi (70322) | more than 10 years ago | (#8133106)

90% of my surfing is done with Firebird, either under Windows or Linux. It's fast (on a Pentium IV @ 2.0 GHz), complete and full-featured.

9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.

Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement

FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.

The moral of the story is that you can't trust Microsoft products.

Homograph attacks might bite us all (5, Interesting)

ControlFreal (661231) | more than 10 years ago | (#8133115)

Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL into the address bar may be one that we should all take to heart in the future.

As pointed out here [technion.ac.il], the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.

Example: one could replace the o's in http://www.microsoft.com [microsoft.com] with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.

A more serious example: my bank, the Dutch Rabobank [rabobank.nl], features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.

A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.

Are there any people from countries using non-latin domain names that might want to comment on this?

Re:Homograph attacks might bite us all (4, Insightful)

linuxci (3530) | more than 10 years ago | (#8133155)

There's no excuse to have to go to reduiculous means to prevent spoofing, and manually typing in URL's is excessive, in fact I'd say the vast majority of people in here that use IE at home out of choice are doing it because they're too lazy to try alternatives (I can't think of any other reason why they'd prefer IE) so they're not gonna type URL's manually either - and the non tech literate public won't even know to do this.

So it's upto the browser makers to take action if this is really a security risk.

The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.

Re:Homograph attacks might bite us all (4, Insightful)

ControlFreal (661231) | more than 10 years ago | (#8133191)

I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.

For example: the number of Chinese internet users [technewsworld.com] went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).

In that case, a general "block" on multilingual domains in the address bar won't work.

Re:Homograph attacks might bite us all (1)

Tim C (15259) | more than 10 years ago | (#8133195)

The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.

But if it's Unicode, surely it's a single character set - isn't that the entire point?

Re:Homograph attacks might bite us all (1)

Mr Smidge (668120) | more than 10 years ago | (#8133231)

If TCP/IP had a presentation layer, then perhaps all network communications would be able to identify what charset strings were being sent in. At least that way we could use a number of local character sets, and perhaps the browser could warn if a different one was needed to view a webpage.

However, I can see the above method getting tedious for the user. How about a browser that can has a list of obvious homographs, and can warn when the tactic is being used?

"This hyperlink leads to www.microsoft.com (Cyrilic character set), but the following sites also exist:
www.microsoft.com (Latin character set).

Perhaps a more inhibiting solution would be to *only* allow a domain name to contain characters from the local character set of the country to which that domain belongs. But again, I can see problems with that too.

I'm all for internationalisation, but this is going to be a tough one.

Re:Homograph attacks might bite us all (4, Insightful)

MonTemplar (174120) | more than 10 years ago | (#8133172)

You don't even need to go digging for Unicode characters to pull off tricks like that. As demonstrated on Slashdot itself! Some examples: Anonvmous Coward (y replaced by v), MonTemp1ar (l replaced by 1 (one)). At least with /. usernames you have the UID that can be checked against to confirm the person's identity. No such luck if you apply the same trick to URLs - how many people are going to spot the difference?


Re:Homograph attacks might bite us all (1)

EJB (9167) | more than 10 years ago | (#8133212)

Sounds like there is a duty here for the domain registrars.

They should make a list of all letters that are visually too close, and disallow registration of a domain if it visually ressembles an existing domain too much.

It would open a tiny can of worms, but at least this is a whole lot more objective than the "sounds like" similarity that pops up in trademark disputes (hey, Mike Rowe ! :)

- Erwin

MD5 checksums? (1)

hany (3601) | more than 10 years ago | (#8133223)

So maybe in future we'll see MD5 checksums or fingerprints (or something other, still strong but more easily "visualy comparable") presented in the page along with the link and also UA (user agen a.k.a. broser) will display somewhere the checksum of link the mouse howers upon.

Note: Anybody is free to use this idea as long as he does not patent it and than abuses this patent for extorting money from others who actualy do something (other than employing just some lawyer and maybe also secretary and accountant).

Note: I do not claim I'm the first one to have such idea, but in case I am, that see the previous note.

And final note: Do not be very serious. We should have also some fun while we're alive. :)

Re:Homograph attacks might bite us all (0)

Anonymous Coward | more than 10 years ago | (#8133250)

Homograph attacks? I don't like all these new features that are being added to my Gaydar.

Typing URLs? Knowing that it's spoofed? Yeah right (1)

phoneboy (11009) | more than 10 years ago | (#8133119)

I mean, sure, Slashdot readers probably can, but most of us are already using a non-vulnerable browser on a non-vulnerable platform anyway.Joe Sixpack is going to have no fucking clue how to tell if a URL is spoofed or not, nor is he necessarily going to type the URL either.

This is obviously a case of Microsoft being caught red-handed with their pants down around their ankles and trying to cover themselves with Saran Wrap. A pretty transparent cover-up...

Re:Typing URLs? Knowing that it's spoofed? Yeah ri (1)

Simon Lyngshede (623138) | more than 10 years ago | (#8133217)

And how do they get mr. Sixpack to stop clicking on link an type in the URL, if they can't even get him to stop clicking on suspicious email attachment?

Because we all know that the sixpack family is concerned with security and keep their anti-virus up-to-date, read the latest virus announcement and of cause they keep track on Microsofts security advisories..... Or perhaps NOT.

Telling the avarage user to type in URLs doesn't fix anything. Microsoft trained their users to not care, why do they think they can change that over night?

What about .... (4, Insightful)

sdukaric (640170) | more than 10 years ago | (#8133123)

Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...

Ahh sweet sweet irony (4, Funny)

quantaman (517394) | more than 10 years ago | (#8133132)

http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786

Need I say more?

Don't use IE (4, Informative)

91degrees (207121) | more than 10 years ago | (#8133136)

I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.

The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.

Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.

This isn't new! (0)

Anonymous Coward | more than 10 years ago | (#8133137)

http://slashdot.org/comments.pl?sid=94638&cid=8116 264

damn /. :p

short question (1)

mirko (198274) | more than 10 years ago | (#8133139)

Dear Mr Krosoft :
What if he URL is checking for a proper referal when accessing it ?

Why also be shy and just typing an URL when you could perform a complete HTTP/1 session using a (... sorry : THE MS) terminal application ?

well... (1)

REBloomfield (550182) | more than 10 years ago | (#8133146)

They used to have a 'Comment on this Article' feature which I was about to fill with an angry rant, but they appear to have pulled the feature....

This is a dupe, but almost merited (1)

fruey (563914) | more than 10 years ago | (#8133158)

This was already mentioned in a story yesterday. Or maybe it was in a comment. But anyway, it almost beggars belief that MS could seriously recommend that you type URLs yourself. The web's whole purpose is for hyperlinks. The internet, for most people, is all about interactive hyperlinking. That's the crux of the whole WWW !

Not only should they fix this immediately, but they have a responsibility to the community that they force their browser on to at least provide them with a browser that is not open to such a simple hack

The only counter argument I can think of for hiding the user/pass syntax before the @ in the first place is to "stop the password being in cleartext on the screen when viewing" and I think we can all see through the pointlessness of that argument.

O Firebird, Firebird, wherefore art thou Firebird?
(Who can) deny thy greatness and refuse thy name;
Or, if they wilt not, be sworn to hell,
As soon there'll no longer be an Internet...

With apologies to the great bard.

Microsoft to remove the @ symbol from URLs (5, Informative)

krappie (172561) | more than 10 years ago | (#8133161)

It hasnt made it on slashdot yet, but netcraft is reporting [netcraft.com] that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.

For more information, please see microsoft's advisory [microsoft.com]. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".

After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..

Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.

How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".

Re:Microsoft to remove the @ symbol from URLs (1)

Superkind (261908) | more than 10 years ago | (#8133240)

What standards are they breaking be removing user/password information from http(s) URLs?

RFC 1738 [rfc-editor.org] doesn't mention them. RFC 2396 [rfc-editor.org] says some things about a general scheme for include user/password information in a URL (but only for protocols that to not have their own URL schemes like HTTP does), and RFC 1945 [rfc-editor.org] again confirms that user/password information do not belong to the HTTP URL scheme.

Finally this is a thing Microsoft does right.

Re:Microsoft to remove the @ symbol from URLs (4, Insightful)

Jugalator (259273) | more than 10 years ago | (#8133242)

Yes. Unfortunately they never seem to have realized they could avoid the problem by doing like Opera for example... Dialog:

You are entering www.thewebsite.com while using this login information:

User name: blah
Password: foo


[ Yes ] [ No ]

This is great ... (2, Insightful)

boris_the_hacker (125310) | more than 10 years ago | (#8133167)

... and even though I dont use Windows this is a nice step towards better security.

My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.

It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.

Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)

Anyway, end of post.

Internet Explorer should offer... (5, Interesting)

2bot_or_not_2bot (634313) | more than 10 years ago | (#8133168)

(1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.

Re:Internet Explorer should offer... (5, Funny)

dohcan (214140) | more than 10 years ago | (#8133196)

Is that the long way of saying "just use Mozilla" ?

type THIS dude !!! (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8133176)

all righty, foolish microsoft idiots, learn to tyep some google group urls

http://groups.google.com/groups?dq=&hl=en&lr=&ie =U TF-8&oe=UTF-8&group=alt.comp.hardware.overclocking .amd&safe=off&selm=bvckv9%24qpsad%241%40ID-222886. news.uni-berlin.de

or even better type your own knowledgebase urls for sure

http://support.microsoft.com/search/default.aspx ?I nCC_hdn=true&Catalog=LCID%3D1033%26CDID%3DEN-US-KB %26PRODLISTSRC%3DON&withinResults=&QuerySource=gAS r_Query&Product=msall&Queryc=833786&Query=833786&K eywordType=ALL&maxResults=25&Titles=articleid&numD ays=&InCC=on

jeeebuz, Microsoft! -> get fucking lost !!!

Alas, some of us have little choice. (5, Interesting)

The Fink (300855) | more than 10 years ago | (#8133188)

It's part of our IT department's standard operating environment to have MSIE as the only browser on Windows platforms. It's also part of their policy to prevent additional programs -- specifically including web browsers of any kind -- from being installed, and the penalty for doing so is not something I really feel like finding out. People have been fired for repeat violations.

Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...

So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank [anz.com]...

ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.

Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.

Aye! (1)

RAMMS+EIN (578166) | more than 10 years ago | (#8133194)

So, here we go:

I'm a dyslexic agnostic with insomnia; I lay awake at night wondering if there really is a dog.

Are you out there Mike Rowe? (2, Funny)

wan-fu (746576) | more than 10 years ago | (#8133198)

And to think, that enough people got MikeRoweSoft.com confused with microsoft.com to warrant a security bulletin.

What's next? (5, Funny)

This is outrageous! (745631) | more than 10 years ago | (#8133202)

"Protect yourself from clicking links by disconnecting the mouse!"

"Protect yourself from email worms by walking to the post office!"

"Protect yourself from p2p worms by buying your music on 8-track tape!"

"Protect yourself from joe-jobs by not using your hotmail address!"

"Protect yourself from internet credit card theft by using dollar bills exclusively!"

"Protect yourself from e-banking snoopers by keeping your savings under the mattress!"

"Protect yourself from spam by disconnecting the internet!"

"For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!

(Oops, this one's not new.)

Meaningful URLs (1)

gmuslera (3436) | more than 10 years ago | (#8133204)

Nice suggestion from a URL that looks like http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786 (ot it was 833782? or scid=xb?

To have meaningful URLs is something useful is a good goal, specially when you can't simply click for a reason or another (i.e. printed url or in a media that dont enable that). But reccomending to not use the basis of the web in a web browser is a clear signal that something is wrong... or the web, or that web browser.

er, yeah (0)

Anonymous Coward | more than 10 years ago | (#8133207)

Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information.

SSL/TLS is typically used to help protect your information as it travels across the Internet by encrypting it. However, it also serves to prove that you are sending data to the correct server. By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. To do this, verify that the lock icon appears in the lower right corner of the Internet Explorer window.

What a fucking joke, does Microsoft actually expect that people who think they can "install the internet" are going to be able to do this? The fact that they think posting security advisories on not clicking "untrusted links" (!) and telling people to manually examine security certificates on their own, instead of just fixing their god-damned software ASAP makes me think they either:

a) they dont have a clue about the "usability" they profess to be so innovative in, or
b) they dont give a shit about their users

Don't use IE (0)

lwillems (551095) | more than 10 years ago | (#8133208)

I have a suggestion that's not in the Knowledge Base: don't use IE!

That wouldn't really help anything. Crackers will always exploit weaknesses in the programs that used the most. If mozilla were be the most popular browser then it would have the most exploits.

Prosecuting Microsoft? (1)

spoodie (641820) | more than 10 years ago | (#8133215)

In light of this and other issues caused by Microsoft products, the current MyDoom chaos and similar incarnation for instance, is it time legal action should be taken against Microsoft for negligence? Would anyone have a legal leg to stand on if they went up against the might of the army of MS lawyers?

MS often don't want to tell you about their flaws (1)

Jugalator (259273) | more than 10 years ago | (#8133227)

I just got the latest issue of a computer magazine I subscribe to, and they had a picture of Microsoft showing a slide explaining how their future security strategy will work and (of course) the positive effects that will come from it. In the center of the slide, there was a quote very similar to this one:

"Make efforts to cause public disclosures about security flaws look bad".

I wonder what they're thinking? So they'll get time to peacefully work on solutions while virus writers spread their work of art?

horrible (0)

Anonymous Coward | more than 10 years ago | (#8133239)

microsoft has the morality and obligation of a drunk driver...

They crash into everything, ruin tons of people's businesses and lives.

I dream of a day, a day when the planet will live without terror and fear of the Microsoft OS.


New patent coming... (2, Funny)

philippeqc (466804) | more than 10 years ago | (#8133244)

Why do I have a chill running down my spine about a new patent concerning "Zero click navigating"


Forms? (2, Interesting)

rastos1 (601318) | more than 10 years ago | (#8133248)

Dear MS support,

Do you have any suggestion how to deal with web-forms? Especially those using POST method?

Sincerelly yours ...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account