WebApp Sec mailing list archives

RE: Phishing

From: Adam Lydick <lydickaw () ruffledpenguin org>
Date: Thu, 13 May 2004 21:55:17 -0700

On Wed, 2004-05-12 at 17:26 +0100, Griffiths, Ian wrote:

Some good ideas there Rogan.  I to feel educating users is a large part of this but how far can you go?  Consider 
this (ficticious) URL:
 
https://secure.bank.com:/logon/12345 () nefarious fraud net/
 
Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the 
untrained eye and yet completely unscrupulous.  I've actually seen something similar in the wild and I'm completely 
sure it works, spotting this takes more than a passing exposure to knowledge of URL composition.
 
Ian


<chop previous message>

I belive that is *not* a valid URL. It happens to work in many browsers,
but it should not (for making social engineering more difficult and RFC
compliance). Check out the bugtraq archives for some more detailed
discussion about this issue.

(The jist of it is -- while the generic description of URLs in an
earlier RFC allows for "user@", the use of it is on a
protocol-by-protocol basis and HTTP urls do not permit its use.)

Adam Lydick

Current thread:

RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
  - RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
  - Re: Phishing Rogan Dawes (May 13)
  - RE: Phishing Adam Lydick (May 14)
    - Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
  - RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)