20070712

Firefox 3.0a7 URL Highlighting

Link

I had a post on why I think highlighting the host in the URL is a bad idea, then RSnake had an additional problem with it.
Here's a screenshot of why I think this is a bad idea:

The screenshot is from one of the full-disclosure URL's that actually redraws the content. As you can see, the host is in dark here, so we know exactly who is rendering the content, but the content can be whatever the attacker wants it to be.

I'm sure another argument against it would be that users simply don't pay attention to the URL bar. However, I think that's a bogus idea - just because not all people use the security features doesn't mean they shouldn't exist. But in this case, I think the host highlighting is actually a step backwards - if it were a really good phishing attack, the URL bar would actually highlight the name of the victim site while what's on the page itself is completely in the control of the hacker.

0 comments: