"Dave Warren" <dave.warren@devilsplayground.net> wrote: <<big snip>> > It's probably too late, but rather then removing user:password support > altogether, maybe Microsoft could replace it with a dialog that informs the > user they are about to visit "session-arhuz.ru" with the username > "www.herbank.com", and an appropriate warning about not revealing sensitive > information, blahblahblah? Yeah, just like the "The doument you are opening contains macros or customizations. Some macros may contain viruses that could harm your computer. [...]" warnings prevented Word macro viruses... A user naïve enough to click on such a link does, in some important sense, _want_ to visit that page. Your suggested warning is just another thing that such users see as "getting in the way of doing what I want to do". Therefore, if implemented it would become more part of the problem than the solution (as users will become ever more familiar with ignoring "warnings" and clicking through them). If you understand users, you will know that in helping them to not shoot themselves in the feet, the only useful appraoch is to remove everything capable of firing the bullets (and quite a few things beside!)... On the Word macro virus front, things got notably better _NOT_ when MS implemented the above warning (that the users could blithely ignore and even _disable_ right there on the warning dialog -- what a travesty of mis-design that was!) but when it released a version of Word that defaulted to not running macros unless they were signed with an acceptable (as configured by the user/admin) key (there are legion flaws in the design of this feature, but it was strong enough to significantly impact the Word macro virus problem). In IE, removing support for this mis-feature (read RFC 2616) will have a much greater impact than trying to "direct" users who don't want to be directed with "warnings" and other stuff that "gets in their way". -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
