Closed Bug 140064 Opened 18 years ago Closed 16 years ago
Long username/password parts of URL confuse user (not user
The news are already reporting about that kind of trick, e.g.: http://www.spiegel.de/netzwelt/netzkultur/0,1518,193521,00.html
over to security/general
Assignee: Matti → mstoltz
Component: Browser-General → Security: General
QA Contact: imajes-qa → bsharma
Page info enhancement is a good idea, but should be a separate bug. I am in favor of something that triggers for urls with username only. That's a unusual case, and evenin the legit case, users may want to be made aware that they are submitting a username. We have a problem with cutted hostnames in general, not just with usernames. <windowsupdate.microsoft.com.querywithalongstring.thatpushestherealdomainout.malicioussite.com/installtrojan.html> Both in the urlbar and the statusbar (hover over links). The latter is even worse, because it cuts in the middle, not the end. Telling me the host I am currently visiting might not be enough, because I might not want to visit the site *at all*. (JS exploits, ad-popups, offending content, whatever reason.) *Before* clicking on a link, I already have to be aware of the host I am about to go to. This hit the news already, for example: <http://www.heise.de/newsticker/newsticker/data/se-10.02.02-000/> (in German) <http://www.heise.de/newsticker/newsticker/data/wst-05.12.01-002/> (in German) (Please add more URLs)
There are exploits worse that fake news: A malicious site might trick you into entering sensitive information like passwords etc..
*** This bug has been marked as a duplicate of 122445 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Reopening. THe other bug is specifically about usernames in hostnames. While that was an important paprt of this bug, it is broader, as my example demonstrated.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Good that I knew this bug! I just got tripped by a link from: http://www.fakednews.com/ http://www.cnn.com:email@example.com/news.php?DwDCo1pq
Status: REOPENED → ASSIGNED
Target Milestone: --- → mozilla1.4beta
Does this still happen? I thought we fixed a couple cases of this spoofing. I've also moved the enhance page info comment to Bug 212327.
It seems like it would be easiest to just omit the username and password in the statusbar, or to place them at the end. Although there are uses for the username:password combo, it seems more important to show the domain name. So you'd have something like this in the statusbar: http://188.8.131.52/real-url/... (username : password) instead of http://username:firstname.lastname@example.org/real-url/... As Jesse Ruderman pointed out in bug 122445 comment 86 it might make sense to url encode the username and password (convert dots to %2e, for example) so that it is not easily mistaken for a domain name.
This method of fooling users has been given the name "phishing" and has let Microsoft to actually stop supporting usernames & passwords in http(s) urls. I say that's a pretty extreme response and there are much better ways to handle it. My suggestion is to replace the user id and password in the url bar with an icon, that shows the actual user id and password as a tool tip. Also, when the URL shows in the status bar when the mouse is over a link, you could just show "user:email@example.com" but actually show user:pass, not the real user and password, perhaps in italics or something.
usernames in URLs are discussed (over-)extensively in bug 122445.
This looks to me like a complete dup of bug 122445. Feel free to re-open if you disagree. *** This bug has been marked as a duplicate of 122445 ***
Status: ASSIGNED → RESOLVED
Closed: 18 years ago → 16 years ago
Resolution: --- → DUPLICATE
This difference is that this bug includes stuff like windowsupdate.microsoft.com.update.evil.com, while the other bug only deals with userpass, e.g. firstname.lastname@example.org.
Actually, this bug is only about username as well, I must have imagined it. verfiy dup
Status: RESOLVED → VERIFIED
Summary: Long username/password parts of URL confuse user → Long username/password parts of URL confuse user (not user
Right, Ben, the very long domain name issue is bug 233865.
Last modified in March 2004 and a dup, anything new..
You need to log in before you can comment on or make changes to this bug.