Neil Turner's Blog

Blogging about technology and randomness since 2002

Firefox gets phishing-protection

If I’m reading bug 232567 properly, Mozilla and Firefox have gained protection from one of the more common URL spoofing tactics, often used in phishing scams. They will now warn the user about addresses such as http://www.mozilla.org&item%3Dq:20933773d88383h2nf@example.com/fraud/evil , which makes the user think they’re going to mozilla.org but are actually going to example.com.
It’s about time. There has been much bickering over this issue, from the purists who say its unnecessary and breaks the standard, to those who can’t see any reason at all for the username:password combination. As such, the solution is a compromise – if Firefox encounters a username:password@somewhere.com URL it prompts the user, asking whether he or she wants to continue. Furthermore, if the URL doesn’t actually require authentification (using the HTTP 401 error code) then the user is warned as well.
Screenshot of Opera warning about a possibly spoofed URL In my mind, this is a good compromise, and better than what Microsoft did with IE – in that browser, all URLs of this variety fail with a syntax error. Opera also went down the compromise route – the screenshot shown is the message that appears when you go to one of these URLs (click on it to see it full size). It’s better than nothing but I don’t think the message is entirely clear.

One Comment

  1. Hello
    I’m a pfisher myself.
    It is old bugtraq. It it half year old.
    And we use only that, which are really new – 0-day
    Good Luck to you guys, we’ll work well
    with your money of course.