Re: IE URL obfuscation: counterpoint

From: Russell Freeland (russell_at_SYNERGYCORP.COM)
Date: 12/11/03

  • Next message: Jeroen Frijters: "Re: IE URL obfuscation" 
    Date:         Thu, 11 Dec 2003 17:52:40 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I agree that Russ is a little cloistered when it comes to sanity checks
    about average users--as are we all to some extent. For instance, even
    entertaining the idea of requiring a license to operate a computer, or
    teaching everyone about personal firewalls, is pretty off the wall to
    me. I know plenty of users whose eyes glaze over approximately .05
    seconds into any sentence that contains the phrase "ip address." (Even
    if you drew crayon pictures of what an IP is, glaze would ensue
    immediately.) Are these people supposed to be denied the advantages of
    having an Internet connection? But I digress...

    Consider that if someone would get taken in by a bogus website, they'll
    probably get taken in *without* URL obfuscation.

    But the bottom line is, if I made IE and I thought that even one person
    could be hurt by a bug, I'd have to fix it. Quickly. In fact, I'd have
    to implement an anti-scam feature. Because bugs are not the only
    irresponsible thing a developer can let loose on the world.

    It might be a good idea for IE to warn users about URLs that look bogus
    in much the same way that spam is examined...URL too long? Have an @
    sign in it? etc. etc. and always warn by default. Maybe we need a
    DNSBL for *scam* as for spam, and a plugin to use it.

    BTW if we did have a warning feature, it should require something more
    than hitting OK to override. Because most of the users I deal with hit
    OK before they read a warning. What's worse is when the thing pops up
    and OK is highlighted, and the user is typing away in a document...and
    the first space bar they hit punches the OK button.

    RF 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Jeroen Frijters: "Re: IE URL obfuscation"