Re: Apparently the practice was prevalent

[Mattias Ahnberg <mattias () ahnberg pp se>]

> > "ST" == Scott Taylor <security () 303underground com> writes:

ST> Wouldn't it make sense to accept user@pass, but NOT DISPLAY IT on the
ST> address bar? so even if someone clicks on a shady link, they don't see
ST> http://www.visa.com () crooks com, they only see http://crooks.com on their
ST> address bar? And with all those miserable encoded characters translated
ST> back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
ST> I guess.

Now that they have implemented this behavior and has made it into a
defacto standard I too agree that it is just silly to suddenly remove
it due to other wrongdoings in the browser. 

I do however agree that it is a problem that could help people to be
more easily fooled than normally. But if so, why not just make it
alert the user that something might be fishy? As someone else
suggested, change the color in the URL of the user:pass part into
something else, light an icon to warn the user of it or even
(*shiver*) have it pop up a warning notice.

I think that all of those would be better than just all of a sudden
disabling a feature that people are actually using for a lot of live
purposes.

/ahnberg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html