URL obfuscation (2002) (pc-help.org)

117 points by freebyte 339 days ago


jchw 339 days ago

Thanks to the rapid adoption of TLS, HTTP/1.1, and CDN services like Cloudflare, it's hard to actually find IP addresses to test some of these tricks on. However, it seems like at least some of this stuff really does still work.

Here's one for example.com. Without the host header, it still misbehaves, but it at least does something.


jaclaz 339 days ago

>Last Updated Sunday, 13 January 2002

    hdhzy 339 days ago

    Yes, exactly. The @ trick is being removed from browsers because what the author refers to as interesting trick has been used for phishing and other scams.

      frik 338 days ago

      Since when is destroying web standards acceptable? There are so many internet and intranet pages from 1994+.

      In the name of security the change way too many moving parts lately to push their hidden agenda.

      Using HTTP in local LAN is fine. Using HTTP for non login-pages is fine. Using "basic authentification" (user:pwd@IP) is fine for certain use cases. Stop breaking things.

      I am not using a Firefox anymore, they went insane lately, they don't bother about their community anymore. I am worried about Chrome too, TLS only for HTTP/2 is the wrong signal. So many times I couldn't open a HTTPS sites because the browser thinks the cert is broken - it was just a trivial page were I just want to read some text (not input anything) - just some me the page - something that wouldn't be a problem with HTTP.

      If Firefox, Chrome or whoever want to destroy access to 1994-2017 websites, go to hell. Name your forked off thing TheMicrosoftNetwork (or what not) and see it tank rather quickly.

        Spivak 338 days ago

        Keep in mind they're not breaking HTTP basic auth, they're just just removing the ability to specify credentials in the URL because its legitimate use is extremely rare but its use in phishing is common.

      jwilk 339 days ago

      What's exactly being removed?

        0x0 339 days ago

        You used to be able to put HTTP basic authentication into the URL in the format http://username:password@hostname-or-ip.example.com/ - modern browsers are removing support for the "username:passord@" part because people would put a legit domain in the username:password@ part to fool users. (i.e., http://cnn.com:article123456@fakenews.example.com/ which would actually take you to fakenews.example.com while sending a username of "cnn.com" and a password of "article123456")

          mschuster91 339 days ago

          what? O.o I use this in Keepass to store quick-login links for some that still require http basic auth (though, haven't tested these for a while). Do you have any link on the deprecation?

            0x0 339 days ago
              jwilk 339 days ago

              > In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

              Huh, that's just security theater. The phisher could set up a website that does require authentication, thereby avoiding the warning.

              The sensible thing to do would be to display the warning if the username contains unescaped dots. (I.e., http://cnn.com:article123456@fakenews.example.com/ would provoke warnings, but http://cnn%2Ecom:article123456@fakenews.example.com/ would not.)

                jchw 339 days ago

                Thinking about this, I think you're right that this is perhaps less useful than billed. If anything though, I'd rather have both warnings.

                338 days ago

          jaimex2 339 days ago

          Strange, it still works for me on Chrome on a http site.

338 days ago

dmurray 339 days ago

These are interesting as curiosities, but most of them are not interesting from the point of view of deceiving users, and this was the case even when the article was written.

It's trivial to make users think they are not visiting evil.com, or just to serve evil content from evil2.com instead. This means a blacklist model of web addresses will never work, and even the most naive computer user uses a whitelist instead, if they pay attention to urls at all.

The username:password@evil.com/... trick is the exception, and it's good that browsers are working on ways to mitigate this.

    styfle 338 days ago

    A lot of large organizations purchase domains that are similar to theirs to avoid typo-squatting as well as the impersonation you pointed out.

    The creation of new TLDs in the last few years only increases the permutations.

    For example:



    338 days ago

theEXTORTCIST 338 days ago

The data URL scheme is abusable.

Firefox and Chrome correctly redirect to localhost via javascript