Posted on by lhl

So, I got sent a link to a story about the Janet Jackson Super Bowl thing. First place I checked online to see it? Filepile. Already there with double digit votes, HDTV captures, and some great remixes.

In summary: violence ok, boobs ok, war on drugs double plus good, moveon.org terrorists

Posted on by lhl

Ha! Got a request to buy a text link on my blog from an SEO company. (and what’s the link you ask? a link is to search engine submittal service). Sorry, PageRank is supposed to be used in the service of finding what you want, not making the web less useful.

Posted on by lhl

2 year anniversary of Bug 122445: Spoof prevention: Warn if username/password in link (url) looks like a hostname – nothing to protect anyone from phishing yet. Things I’m for:

  • Dialog Box w/ suspicious usernames – understand that it’s YAWD, but in this case, I think warranted – if a user doesn’t ignore it, it’ll let them not load the site at all (a good thing) – however, users *do* just click through, so part two of the solution; a per-domain pop-up blocking type interface might make sense…
  • Hostname (domain name)/username display – The urlbar should start w/ the hostname and then display the l/p after or separately (one option, another displaying full url, but w/ org info, text at the end), or not at all (I don’t like url chopping/mangling, but either (any! color and escape it all for all I care) solution is better than allowing phishing to go on)
  • Links should start w/ [hostname] in status/mouseover – just as an additional FYI; however, if there’s no real way to prevent this being spoofed in JS, maybe not a good idea… (an inline warning might be interesting)

OK, I just got finished reading 150+ comments over the past two years on this bug. I’m feeling what slice1900 (original bug submitter) is saying:

——-
Additional Comment #159 From slice1900@*** 2004-01-28 13:31 PST
——-

Given that Microsoft plans to update to IE to complete do away with ALL
HTTP/HTTPS AUTH, rather than attempting to sanity check them in any way, all I
have to say is TFB to all your whiners who complained about how my original
idea in the bug report to only care about .’s in usernames because it might
inconvenience a dozen users at some obscure site or another using HTTP AUTH
that’s dumb enough to have usernames with dots in them.

Mozilla should now just follow suit and disable ALL uses of HTTP AUTH in the
browser because standard or not, now that MS is obsoleting it, the few
remaining sites legitimately using will cease soon enough when they have the
first reports from IE users with the patch that it no longer works and they
realize MS will no longer support it.

Of course I expect in reality that Mozilla will continue to do nothing, as
those same whiners that obstructed anything constructive being done, like
Adam’s patch that apparently was never considered by anyone with any power in
the Mozilla organization to do anything about it, to continue to whine about
how Mozilla should continue to support HTTP AUTH anyway, because it is the
“standard”, even though only sites used where no users use IE would continue to
use the brain-damaged HTTP AUTH option from this point on.

Thus insuring that not only did Mozilla not take the leadership on this
issue, despite my bug report being filed TWO YEARS AGO TOMORROW, it will
probably remain for quite a while as the only browser still vulnerable in all
its versions to the phishing scams. I’m sure those will go on for quite a
while since there will be enough vulnerable versions of IE out there for
several more years.

No wonder Mozilla never went anywhere, people were too worried about stupid
crap like themes and support for stuff no one uses like SVG and MNG, instead of
worrying about things that will benefit the average end user. Mozilla should
just give up any illusions it is for the average user, and just content itself
to be a geek browser for people who are already too smart to fall for such
scams, and those of us who got their friends and parents to use it when they
had one too many bad experiences with IE can send them Opera’s way instead
since even though it is closed source and costs money, they actually seem to
care about their users.

I will probably get flamed for this, maybe even kicked off bugzilla, but I
really don’t care. I’m just so disappointed and disillusioned by the whole
thing I probably won’t bother to ever waste my time contributing bug reports to
Mozilla again anyway.

Here’s the MS KB announcement: 834489 – Microsoft plans to release a software update that modifies the
default behavior of Internet Explorer for handling user information in
HTTP and HTTPS URLs

Posted on by lhl

random: I like Bugzilla’s new restricting sessions to a single IP option. You’d think this would be something that’d be built into say PHP’s default sessiong handling (and how about signed cookies or noncing? that’d be nice too) TODO: look for or write secure session handling library

Posted on by lhl

Microsoft Support: Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks

The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER.

Hmm, last reviewed 12/26/2003, so before the second and even more serious IE linking bug (doubly dangerous when combined with the still unfixed spoofing bug). I guess Microsoft Support isn’t really in a position to outline the easy one-step solution of say… installing Mozilla?