Re: Apparently the practice was prevalent

[Nick FitzGerald <nick () virus-l demon co uk>]

Scott Taylor <security () 303underground com> wrote:

> Wouldn't it make sense to accept user@pass, but NOT DISPLAY IT on the
> address bar? so even if someone clicks on a shady link, they don't see
> http://www.visa.com () crooks com, they only see http://crooks.com on their
> address bar? And with all those miserable encoded characters translated
> back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
> I guess.

Let's see...

First, you are proposing that IE have a non-standards compliant 
behaviour re-instated?  That is bad for several reasons already 
discussed.

Second, you are suggesting that IE should hide the fact that there is 
some kind of authentication involved.  That is really stupid as it is a 
sure bet that many clue-deprived web developers (you can read comments 
from some of them in Lemos' article to get an idea of the level of lack 
of care for security they _already_ have) will then see the mechanism 
as _more secure_ "because the user credentials are not displayed". 
These are a similar kind of moron to those web designers who think 
disabling left-click with JavaScript and using those trivial client-
side runtime "decryption" scripts make their web page design tricks 
and/or script code "invisible" to others.

Third, I agree it would be a good idea if all encoded characters that 
can be rendered in the browser's address or status bar as "displayable" 
characters should be rendered thus, rather than left encoded.  AFAIR, 
is how Mozilla, and I think Opera, already handles such situations.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html