Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: IE URL obfuscation: counterpoint
From: Russell Freeland (russellSYNERGYCORP.COM)
Date: Thu Dec 11 2003 - 16:52:40 CST
I agree that Russ is a little cloistered when it comes to sanity checks
about average users--as are we all to some extent. For instance, even
entertaining the idea of requiring a license to operate a computer, or
teaching everyone about personal firewalls, is pretty off the wall to
me. I know plenty of users whose eyes glaze over approximately .05
seconds into any sentence that contains the phrase "ip address." (Even
if you drew crayon pictures of what an IP is, glaze would ensue
immediately.) Are these people supposed to be denied the advantages of
having an Internet connection? But I digress...
Consider that if someone would get taken in by a bogus website, they'll
probably get taken in *without* URL obfuscation.
But the bottom line is, if I made IE and I thought that even one person
could be hurt by a bug, I'd have to fix it. Quickly. In fact, I'd have
to implement an anti-scam feature. Because bugs are not the only
irresponsible thing a developer can let loose on the world.
It might be a good idea for IE to warn users about URLs that look bogus
in much the same way that spam is examined...URL too long? Have an
sign in it? etc. etc. and always warn by default. Maybe we need a
DNSBL for *scam* as for spam, and a plugin to use it.
BTW if we did have a warning feature, it should require something more
than hitting OK to override. Because most of the users I deal with hit
OK before they read a warning. What's worse is when the thing pops up
and OK is highlighted, and the user is typing away in a document...and
the first space bar they hit punches the OK button.
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.