Closed Bug 228090 Opened 21 years ago Closed 21 years ago

Possible to hide servername in urlbar

Categories

(SeaMonkey :: Location Bar, defect)

Product:
SeaMonkey
Component:
Location Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 122445

People

(Reporter: sicking, Unassigned)

References

(
URL
)

Details

This is a UI bug which tend to generate a lot of ranting and spamming. DO NOT DO
THAT OR WE'LL KICK YOU OUT!

There's recently been a bug found in IE where it's possible to cut off part of
the url shown in the url-bar. This opens an exploit where the user is tricked to
go to the url:

http://www.microsoft.com%01@zapthedingbat.com/security/ex01/vun2.htm

where everything after the %01 is hidden. The user thinks he's at
www.microsoft.com and feel safe to download executables or enter sensitive
information such as passwords or creditcard numbers.

See also http://simon.incutio.com/archive/2003/12/09/nastyBug

However, mozilla is vulnerable to this too, though to a lesser extent. If I were
to go to the above url I would most likly think i'm at microsoft. Especially if
it has a bit more obfusaction. And if you don't belave that I would be fooled by
this you better beleave the my mom would. People don't look at the entire url
seaching for a '@' sign, rather you just look at the beginning and feel safe
after that.

I can see two ways of fixing this in mozilla. Either we don't show the username
in the url-bar (i.e. we cut away everything before the @). Or we could put
emphasis on the servername, such as making it bold.
isn't this a dup of bug 122445?

*** This bug has been marked as a duplicate of 122445 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
VERIFIED/dupe
Status: RESOLVED → VERIFIED
Product: Core → SeaMonkey
You need to log in before you can comment on or make changes to this bug.