Is Firefox open to spoofing? I thought it was more secure than Firefox. That probably means it is better to stick with IE for now. Microsoft has a patch for this type phishing scams, don't you guys do something similar for Firefox instead of relying on third parties to fix this security problem?

Well, Mr. anonymous coward, it's not technically a spoof since the URLbar hasn't been compromised like with the recent IE URLbar spoof. What it is is a misleading URL. In Mozilla's case (not IE's where the URL could literally be spoofed) it's not terribly different from a user being tricked by an evil site named paypall.com (rather than the legitimate paypal.com). IE's answer (for those people who patched it, and my experience with Windows users is that very few do) was to rip out support for passing username and password in the URLbar completely. This broke a huge number of websites. There are better solutions to this problem which don't break a large number of websites and Mozilla will be incorporating one of those soon.

There aren't better solutions: the syntax removed from IE was never valid for HTTP URL's. I'm glad that Microsoft had the courage to remove an insecure authentication system that isn't nearly as widely used as you suggest: Mozilla is just a laggard supporting extensions that will certainly become obsolete now that the biggest player has removed support for the non-standard behaviour.

The biggest irony is that people still need a plug-in to display alt-text as a tooltip, but don't need a plugin to enable URL's that can trick users into using the wrong site. Mozilla's security policy is often criticised; my honest hope is that the foundation will stop relying on obscurity to avoid embaressment and damaging users.

Thanks for the link. As Asa says, SpoofStick is really meant for complex, misleading or mislabeled URLs, as well as for windows that don’t show an address bar at all (like this comment window). Basically, many spoofing attacks take advantage of that fact that even though your browser knows exactly where you are, it just refuses to come out and tell you in a straightforward way. See my posts here and here, also Jon Udell’s good post on his blog.

I meant to say, "for examples of confusing URLs, see my posts..."

James, there certainly are better ways. One would be to highlight the actual domain and ensure that it was scrolled into view (and lots of variations of that). Another would be to actually show the auth dialog. There are multiple solutions which don't break lots of existing sites. You could escape the username so it couldn't be used to spoof the known domain. You could add a toolbar like SpoofStick.

Saying there aren't better solutions just seems silly to me and I don't have a lot of time for people who believe there are software features which cannot be made better. There are always better solutions. The question is not whether there are better solutions; the question is whethere there is sufficient value in the better solution to invest the time and effort required to implement it.

The syntax was not invalid for many years and become a defacto standard and a lot of people rely on it. Microsoft's changes broke lots of people and they didn't have to. They took the easy way out.

And your implication that by disabling that feature in IE, microscoft has protected its users from phishing and spoofing and all that, is just bogus. They removed _one_ path to exploiting stupid users. There are lots of ways to confuse stupid people. In my experience, most users will be just as likely (if not more) to be spoofed by http://paypall.com as they will by http://www.paypal.com_______:345656@www.evil.com. The real exploit that got MS in trouble with this in the first place was that a site was actually able to hide all the bogus part of the URL (not just scroll it out of view or otherwise confuse it) so that the URLbar actually said simply "www.paypal.com". That was _real_ spoof.

Anyway, after reading a few more of your posts it's starting to occur to me that you're not really interested in dialog and you're just here to troll. Your tone is generally insulting and I just now noticed another post of yours where you've taken to name-calling. I don't have time for that kind of garbage.

There is one thing that Microsoft fixed with the update, a URL like this: http://example.com/page?arg1=foo&arg2=bar?arg3=baz has the arguments from the second '?' on stripped, giving this: http://example.com/page?arg1=foo&arg2=bar. It "broke" one of my misbehaving web apps. I must not have caught the bug in the first place, because the fix was about a two line change.