ICANNWatch
 
  Inside ICANNWatch  
Submit Story
Home
Lost Password
Preferences
Site Messages
Top 10 Lists
Latest Comments
Search by topic
Our Mission
ICANN for Beginners
About Us
How To Use This Site
ICANNWatch FAQ
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

    •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

    • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)


    		 
    This discussion has been archived. No new comments can be posted.
    MicroSoft Closes Browser Phishing Hole | Log in/Create an Account | Top | 7 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Threshold:
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    URL syntax is allowed
    by Huguei on Wednesday February 04 2004, @02:42AM (#12927)
    User #3840 Info
    But the syntax
          http://user:password@site
    is allowed in the URI specification RFC (rfc2396).

    The problem with IExplorer was that certain character inside the URL (hidden right after the '@' sign) causes that explorer doesn't showed the rest or the url, even in the address bar or the body of a mail message !! So, the crackers could use that character to hide the real server.

    Hugo
    [ Reply to This | Parent ]
    Re:URL syntax is allowed
    by fnord ({groy2k} {at} {yahoo.com}) on Wednesday February 04 2004, @02:00PM (#12928)
    User #2810 Info
    That syntax has been allowed and used (and still is) for FTP since long before HTTP and the world wide web were a twinkle in Tim Berners-Lee's eye, and isn't much different from that used by telnet back to the dawn of time. It is arguable that the RFC should not be superceded simply to correct a social engineering problem. Microsoft could conceivably otherwise check for such an exploit and disallow it.

    Your comment is also somewhat misleading. Hugo wrote:

    The problem with IExplorer was that certain character inside the URL (hidden right after the '@' sign) [it is actually (%01) placed before the '@' sign] causes that explorer doesn't showed the rest or the url, even in the address bar or the body of a mail message
    That is only part of the problem, it is one of the later wrinkles or enhancements I referenced. I was first involved with phishing in a case where AOL users suffered this semantic attack so as to cough up their account ISERID/Passwords which spammers would then put to one-time use. That was back in 1997 and wasn't the first instance. The wrinkle you speak of was first (mis)used last year SFAIK, perhaps because it may not have been considered necessary by scammers prior to the release of the current IExplorer v. 6.x in which the URL line shows only the accurate address (unless one uses that exploit).

    Versions 5.x and earlier did show the entire URL (my example of

    http://icann.org@icannwatch.org [icannwatch.org]

    did not use that wrinkle as a view of the source code will show, perhaps someone with an unpatched pre v. 6.x can confirm that link behaviour). Particularily as part or all of the link can be obfuscated into octal and/or hex as I first pointed out, most users cannot be expected to parse each URL looking for an instance of '@'. For example the URL of the page I now write on looks like this (to me, YMMV somewhat):

    http://www.icannwatch.org/comments.pl? sid=1539&op=Reply&threshold=-1&commentsort=1&mode= nested&tid=34&pid=12927

    Eyeball a bunch of those each day (and then double-check to be sure) and you'll never get anything else done. That's assuming that the IExplorer user, which is to generally say newbies and the less technically clued, even knew to search for '@', which they overwhelmingly do not. -g

    [ Reply to This | Parent ]


    Search ICANNWatch.org:

    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com