This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

April 28, 2010

Address bar and the sea of darkness

The current contents of the address bar are our only god.

Really. There is nothing else: browsers do not have any other universal, reliable content origin indicator, and no way to predict where you will be taken next. People who do not understand this, or who do not understand the URL syntax, will suffer. Over and over again.

It is fair to note that way too many users fall into this category; in fact, even the experts can't always be sure. Guess where the following URLs will take you in MSIE, Firefox, and Chrome:

  • http://example.com\@coredump.cx/
  • http://example.com;.coredump.cx/
Chances are, you got the answers wrong. The problem is easy to pin squarely on the users, but it's the geeks who created a huge gap between the skill level needed to proficiently operate a browser, and the skill level required to do so safely. The health of the entire networked ecosystem suffers as a result.

This gap is one of the great unsolved problems in information security - and it calls for fundamental changes to how web browsers interact with the users and identify sites. Alas, not every quick kludge is necessarily a good one: careless users will be exactly just as doomed if we outlaw HTTP authentication, change onclick behavior, rework tooltips, or close all the open redirectors in the world. The few hundred remaining pages in the relevant RFCs make the world interesting. Please, pick your battles wisely.

No comments:

Post a Comment