2 year anniversary of Bug 122445: Spoof prevention: Warn if username/password in link (url) looks like a hostname – nothing to protect anyone from phishing yet. Things I’m for:

  • Dialog Box w/ suspicious usernames – understand that it’s YAWD, but in this case, I think warranted – if a user doesn’t ignore it, it’ll let them not load the site at all (a good thing) – however, users *do* just click through, so part two of the solution; a per-domain pop-up blocking type interface might make sense…
  • Hostname (domain name)/username display – The urlbar should start w/ the hostname and then display the l/p after or separately (one option, another displaying full url, but w/ org info, text at the end), or not at all (I don’t like url chopping/mangling, but either (any! color and escape it all for all I care) solution is better than allowing phishing to go on)
  • Links should start w/ [hostname] in status/mouseover – just as an additional FYI; however, if there’s no real way to prevent this being spoofed in JS, maybe not a good idea… (an inline warning might be interesting)

OK, I just got finished reading 150+ comments over the past two years on this bug. I’m feeling what slice1900 (original bug submitter) is saying:

——-
Additional Comment #159 From slice1900@*** 2004-01-28 13:31 PST
——-

Given that Microsoft plans to update to IE to complete do away with ALL
HTTP/HTTPS AUTH, rather than attempting to sanity check them in any way, all I
have to say is TFB to all your whiners who complained about how my original
idea in the bug report to only care about .’s in usernames because it might
inconvenience a dozen users at some obscure site or another using HTTP AUTH
that’s dumb enough to have usernames with dots in them.

Mozilla should now just follow suit and disable ALL uses of HTTP AUTH in the
browser because standard or not, now that MS is obsoleting it, the few
remaining sites legitimately using will cease soon enough when they have the
first reports from IE users with the patch that it no longer works and they
realize MS will no longer support it.

Of course I expect in reality that Mozilla will continue to do nothing, as
those same whiners that obstructed anything constructive being done, like
Adam’s patch that apparently was never considered by anyone with any power in
the Mozilla organization to do anything about it, to continue to whine about
how Mozilla should continue to support HTTP AUTH anyway, because it is the
“standard”, even though only sites used where no users use IE would continue to
use the brain-damaged HTTP AUTH option from this point on.

Thus insuring that not only did Mozilla not take the leadership on this
issue, despite my bug report being filed TWO YEARS AGO TOMORROW, it will
probably remain for quite a while as the only browser still vulnerable in all
its versions to the phishing scams. I’m sure those will go on for quite a
while since there will be enough vulnerable versions of IE out there for
several more years.

No wonder Mozilla never went anywhere, people were too worried about stupid
crap like themes and support for stuff no one uses like SVG and MNG, instead of
worrying about things that will benefit the average end user. Mozilla should
just give up any illusions it is for the average user, and just content itself
to be a geek browser for people who are already too smart to fall for such
scams, and those of us who got their friends and parents to use it when they
had one too many bad experiences with IE can send them Opera’s way instead
since even though it is closed source and costs money, they actually seem to
care about their users.

I will probably get flamed for this, maybe even kicked off bugzilla, but I
really don’t care. I’m just so disappointed and disillusioned by the whole
thing I probably won’t bother to ever waste my time contributing bug reports to
Mozilla again anyway.

Here’s the MS KB announcement: 834489 – Microsoft plans to release a software update that modifies the
default behavior of Internet Explorer for handling user information in
HTTP and HTTPS URLs