| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mattias at ahnberg.pp.se (Mattias Ahnberg) Subject: Apparently the practice was prevalent >> "ST" == Scott Taylor <security@...underground.com> writes: ST> Wouldn't it make sense to accept user@...s, but NOT DISPLAY IT on the ST> address bar? so even if someone clicks on a shady link, they don't see ST> http://www.visa.com@...oks.com, they only see http://crooks.com on their ST> address bar? And with all those miserable encoded characters translated ST> back to plaintext too. Yeah I know. silly idea. Just too bloody obvious ST> I guess. Now that they have implemented this behavior and has made it into a defacto standard I too agree that it is just silly to suddenly remove it due to other wrongdoings in the browser. I do however agree that it is a problem that could help people to be more easily fooled than normally. But if so, why not just make it alert the user that something might be fishy? As someone else suggested, change the color in the URL of the user:pass part into something else, light an icon to warn the user of it or even (*shiver*) have it pop up a warning notice. I think that all of those would be better than just all of a sudden disabling a feature that people are actually using for a lot of live purposes. /ahnberg.
Powered by blists - more mailing lists