lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: mattias at ahnberg.pp.se (Mattias Ahnberg)
Subject: Apparently the practice was prevalent

>> "ST" == Scott Taylor <security@...underground.com> writes:

ST> Wouldn't it make sense to accept user@...s, but NOT DISPLAY IT on the
ST> address bar? so even if someone clicks on a shady link, they don't see
ST> http://www.visa.com@...oks.com, they only see http://crooks.com on their
ST> address bar? And with all those miserable encoded characters translated
ST> back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
ST> I guess.

Now that they have implemented this behavior and has made it into a
defacto standard I too agree that it is just silly to suddenly remove
it due to other wrongdoings in the browser. 

I do however agree that it is a problem that could help people to be
more easily fooled than normally. But if so, why not just make it
alert the user that something might be fishy? As someone else
suggested, change the color in the URL of the user:pass part into
something else, light an icon to warn the user of it or even
(*shiver*) have it pop up a warning notice.

I think that all of those would be better than just all of a sudden
disabling a feature that people are actually using for a lot of live
purposes.

/ahnberg.


Powered by blists - more mailing lists