January 30, 2004

Anyone else see this recent MS Knowledge Base article? "Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks." What the hell is Microsoft thinking — they can't fix the problem with their browser and so their advice is that you should manually enter URLs? An excerpt from the article:

The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.

Yeah, that makes perfect sense; we've always known that those damn hyperlinks were a gaping security hole. Who in their right mind is going to look at a URL and say, "Man, that looks malicious, I better type it in manually." Oh, it gets better. They go on to say that you can also copy/paste some JScript code into the toolbar to "identify the actual URL of the current web site." The instructions say:

Use a JScript command in Internet Explorer. In the Address bar, type the following command, and then press ENTER...

...Compare the actual URL with the URL in the Address bar. If they do not match, the Web site is likely misrepresenting itself. In this case, you may want to close Internet Explorer.

The article goes on and on explaining different ways to determine whether the current URL is "malicious," none of which is going to help the average Internet user, because 1.) they just don't care and 2.) it's too much work. Why would Joe Internet jump through such absurd hoops? The quick answer is that he won't. I cannot imagine trying to walk my grandma through those steps, much less see her doing it of her own volition. How could I even explain to her the reasoning behind it? "Well grandma, you see, Microsoft worked long and hard trying to solve this problem with spoofed links, and because they couldn't come up with an answer, they provide you with simple steps to help you use the Internet improperly." I'll never understand why people won't stop using Internet Explorer, especially given the great alternatives available and the fact that a new exploit is reported almost daily.

You should follow me on Twitter here