mailing list archives
From: "Damon McMahon" <inst_karma () hotmail com>
Date: Sat, 15 May 2004 11:01:47 +1000
Note that Microsoft removed exactly this functionality for exactly these
reasons in their MS04-004 update to Internet Explorer:
834489 - A security update is available that modifies the default behavior
of Internet Explorer for handling user information in HTTP and in HTTPS URLs
I'm not sure about the current state of support in Mozilla for this -
there's a bug submited at http://bugzilla.mozilla.org/show_bug.cgi?id=232560
but this is pretty vague.
Yet another reason to keep your browser right up to date (as if you needed
another one!) I suppose...
>From: "Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>
>To: <webappsec () securityfocus com>
>Subject: RE: Phishing
>Date: Thu, 13 May 2004 10:55:05 +0100
>Received: from outgoing3.securityfocus.com ([220.127.116.11]) by
mc12-f15.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 14 May 2004
>Received: from lists.securityfocus.com (lists.securityfocus.com
[18.104.22.168])by outgoing3.securityfocus.com (Postfix) with QMQPid
44852236F2E; Thu, 13 May 2004 13:59:42 -0600 (MDT)
>Received: (qmail 18325 invoked from network); 13 May 2004 04:45:57 -0000
>Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
>List-Post: <mailto:webappsec () securityfocus com>
>List-Help: <mailto:webappsec-help () securityfocus com>
>List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
>List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
>Delivered-To: mailing list webappsec () securityfocus com
>Delivered-To: moderator for webappsec () securityfocus com
<541C33250DE1B04E950D6A414182A490012C9D33 () mercury liv-bus co uk>
webappsec-return-3924-inst_karma=hotmail.com () securityfocus com
>X-OriginalArrivalTime: 14 May 2004 07:05:23.0850 (UTC)
>This is the most workable of all ideas I think, it would certainly draw
peoples attention to the fact that the submission was a little bit iffy.
Whether this would then prompt them not to continue or indeed whether the
message could be clearer in its explantation of what is going on is less
>It may also be that as authentication on a URL is possibly an advanced
feature, it could be off by default, and explicitly turned on by the user
who understands what the resultant addresses look like and would therefore
be better educated to spot things like this.
>Protecting the user with default config is possibly the way to go with
this. However, as without Outlook, I'd occasionally like override this.
For example, to open the Word doc that my colleague has sent from across the
room and not be told it can't ever be done.
> -----Original Message-----
> From: Rogan Dawes [mailto:discard () dawes za net]
> Sent: Thu 13/05/2004 07:42
> To: Griffiths, Ian
> Cc: webappsec () securityfocus com
> Subject: Re: Phishing
> "You have clicked a link to 'nefarious.fraud.net', with username
> 'secure.bank.com' and password '********'. Do you want to continue? Ask
> me next time (x)"
> I guess this could be a password dialogue, with the username and
> password filled in, similar to the current basic auth password dialogs.
SEEK: Now with over 50,000 dream jobs! Click here:
- RE: Phishing, (continued)