Full Disclosure mailing list archives
Re: Apparently the practice was prevalent
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Feb 2004 11:12:07 +1300
Scott Taylor <security () 303underground com> wrote:
Wouldn't it make sense to accept user@pass, but NOT DISPLAY IT on the address bar? so even if someone clicks on a shady link, they don't see http://www.visa.com () crooks com, they only see http://crooks.com on their address bar? And with all those miserable encoded characters translated back to plaintext too. Yeah I know. silly idea. Just too bloody obvious I guess.
Let's see... First, you are proposing that IE have a non-standards compliant behaviour re-instated? That is bad for several reasons already discussed. Second, you are suggesting that IE should hide the fact that there is some kind of authentication involved. That is really stupid as it is a sure bet that many clue-deprived web developers (you can read comments from some of them in Lemos' article to get an idea of the level of lack of care for security they _already_ have) will then see the mechanism as _more secure_ "because the user credentials are not displayed". These are a similar kind of moron to those web designers who think disabling left-click with JavaScript and using those trivial client- side runtime "decryption" scripts make their web page design tricks and/or script code "invisible" to others. Third, I agree it would be a good idea if all encoded characters that can be rendered in the browser's address or status bar as "displayable" characters should be rendered thus, rather than left encoded. AFAIR, is how Mozilla, and I think Opera, already handles such situations. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apparently the practice was prevalent Paul Schmehl (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- Re: Apparently the practice was prevalent Stefan Esser (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- Re: Apparently the practice was prevalent hggdh (Feb 08)
- Re: Apparently the practice was prevalent Luke Norman (Feb 08)
- Re: Apparently the practice was prevalent Scott Taylor (Feb 08)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- Re: Apparently the practice was prevalent Mattias Ahnberg (Feb 10)
- Re: Apparently the practice was prevalent Luke Norman (Feb 08)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- Re: Apparently the practice was prevalent Ron DuFresne (Feb 09)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- RE: Apparently the practice was prevalent Nick FitzGerald (Feb 09)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 09)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- <Possible follow-ups>
- RE: Apparently the practice was prevalent Schmehl, Paul L (Feb 09)
- Re: Apparently the practice was prevalent Cael Abal (Feb 09)
- RE: Apparently the practice was prevalent John . Airey (Feb 10)