Opps. Wait, maybe IE isn't that bad afterall. D'oh!

As a long history of bashing for MS continues, and everyone tries to switch to Netscape, Mozilla, and other browsers, its good to FINALLY see you get what came for, and Microsoft prevails. Its about damn time! IE, the ruler and king of the browsing community. Stick that in your peace pipe and smoke it boys! So, IE has other issues, so what, at least this is PROOF Microsoft isn't the evil juggernaut everyone thinks they are. I will keep this little blurp for future reference the next time someone claims Firefox to be impervious to problems..

IE?! The ruler... LOL!!! OMG!!! Thanks I needed a laugh. There has got to be 5 security fixes to every 1 from Mozilla. IE should just be allowed to finally die.

IE is the ruler as far as market share...and the fact that more flaws are patched means more experience with fixing problems. That's how I look at it.

as a temp solution to this with firefox just type about:config in the addess bar then find the line network.enableIDN and change it to false... problem solved! woohoo.

Excellent. Thanks for the tip!

I regularly spend 5-10 minutes on the phone, trying to get people to type the right key when I say "backslash."

Let's take the average victim of phishing scams (luser who thinks PayPal really wants him to click on an email link and re-enter his info) and get him to edit a text-based config file correctly. I think the phishers will have a higher success rate.

I tried this. It did not work. The site is still appears as http://www.paypal.com and still loads. Restarting the browser did not help. Neither did restarting the computer. Firefox 1.0 on Windows XP.

You're right, it did not appear to do anything for me either. (Not that I'm dumb enough to click on such a link anyway... but the workaround doesn't seem to work for everyone)

Uhh about:config looks pretty clickable to me.

It worked for me.... It was still showing that the site was paypal.com, but the site would not load at all... I changed it back to true, and the site loaded again, changed it back to false, it again would not load... maybe you are doing something wrong?

The directions are not that hard. Perhaps it is some interplay with an extension or something messing it up?

Other sites have equally reported this fix doesn't work; your experience actually seems to be the minority. If I view the source I see the spoofed link for what it is, but even with IDN disabled the link displays properly and loads quite happily.

CLARIFICATION: It works before I restart the browser. When I exit and come back in, IDN is still set to false but the link works again. I need to set it to true and then back to false *within a browser session* for this workaround to work...around.

yep ... this work-around is not working at all for me. Restart or no re-start ...

I do run Firefox. I'm using it right now. I however used to be pro open-source. Not anymore. After three years with Linux I realize that Microsoft is king. IE is a great browser. I just wish I had more control over the flash ads and other ads. :)

I do quite like the concept of Linux, but it's not quite up to par from a useability standpoint, nor is there enough consistency across distributions. That being said, it has been improving at a rapid rate, and with the level of consolidation, it won't be long before it's a serious contender on the desktop... I'd say 2 or 3 years.

Open source doesn't make software good or bad - it's the quality of the community around it that makes a project. In the case of linux, they have an excellent community, but it's fragmented, and the project itself is huge.

From a server standpoint, be it file, printer, or whatever - where stability and scalability, are king, linux is certainly equal to any task that windows is, and a heck of a lot cheaper to implement... MS's licensing scheme for servers (per user garbage) is bordering on robbery. When I own a server, and 50 workstations - 51 licenses should be sufficient, but you actually need 101 - 50 CALs for the server, the server OS itself, and 50 clients. Robbery - double dipping - garbage.

Several points I could mention here, I'll start with some big ones. First of all, though most people will admit FireFox has problems, here's proof for those hard-core perfect utopia firefox lovers--there is no perfect browser, period. The real test for FireFox is not how secure it is now, but how quickly can they react to fix existing flaws.

"Because the flaw lies in the basic implementation of IDN, it's unclear how browser vendors will protect their users. Mozilla developers say they are working on a long-term solution to the issue, and in the meantime will instruct users on disabling IDN support."

Apparently they weren't ready for this yet. Here is where Microsoft can out-gun the competitors. No one has one tenth the experience MS does with solving problems with seemingly impossible security flaws. MS also fixes most flaws before they are made public as well, another potential uphill battle for any open source browser like FireFox. True, MS is also good at "downplaying" security threats sometimes when they are made public before they are fixed, but what would you do? This flaw is proof of the shortcommings of open source--nobody does their homework because why not use someone else's homework? More later.

Better than Opera's response, which basically mimics the normal response of MS, which is to say - "It's not a bug, it's a feature"

If MS had implimented the IDN feature, they undoubtedly would have taken longer to fix the issue than anyone. Before saying "I told you so", you need to find an issue that affects both, and then see which gets fixed first.

just to let you know I'm not wimping out I began editing my above post before I had seen a response. It does look very conveniently edited though...

lol... no worries there.

There is no picnic on either side - MS and all other browser vendors have a lot of work to do to make sure that insecurities are fixed as quickly as possible.

MS, however, has a much larger responsibility as the vendor who leaves the most consumers vulnerable. They need to not only fix the issues the come across quickly and properly, they also need to change the default settings with IE to make it secure out of the box, and force people to learn how to make it insecure if they want it that way, not the other way around.

As Mozilla gains market share, they'll be tested on how well they react to security concerns, and then we'll know whether they're up to snuff or not - but for the time being, that onus remains primarily on Microsoft (although Mozilla is definately being tested - so far they've shone).

It'd be nice if they, in addition to fixing insecure code, would update their browser to support some modern web standards - you'd think with all the work they're doing to fix everything that's broken they could sneak in some proper HTML and CSS support.

Microsoft is not any better at fixing big problems fast than any other software company/group. I forget what it was but a couple months ago there was a huge bug found and they just said they were working on it, and continued to do so for several months before finally releaseinga patch, so dont say that they are perfect at it because no one is.

Now, you can't really blame this on any browser because the problem isn't with the browser, its with a standard. In other words, it really shouldn't be the browser makers job to fix it, it should be the job of the standard makers to not come out with buggy standards.

However, I think spoofing is stupid and that to be tricked by it (after having heard about it) would be pretty hard. However, there is such a large number of people who don't know anything about computers who would be tricked easy, and I hope all of them keep using IE, and all the people who know there stuff can keep pressing on with new, better things. All I ask is to not be forced to use a browser I hate (IE), and for websites to use real standards instead of standards made up by "The Browser".

The experience I have had with MS does not support the conjecture (and I do stress "conjecture") that MS would take longer to fix a given issue. They aren't any worse than any other software vendor at that game.

To the person who says that it's difficult to be tricked with online spoofing once aware that it exists, I'd love to see your reaction after doing online banking and finding out two days later that someone has completely drained your account. And no, that's not far fetched - anyone can be tricked.

Another comment urges MS to update to some of the newer web standards. At the end of the day, the folks championing "the standard" got egg on their faces. Does egg glaze count as "shining", because if so then Mozilla is indeed shining today.

That being said, I'd expect them to produce some kind of update at a point of their own choosing - hopefully with better testing and not blind acceptance of "the standard". Given the effort it is taking to rewrite the OS (Longhorn is after all a serious re-write of Windows from a security perspective), I'd deem such testing likely.

No one forces anyone to use a browser - you're free to install and use whatever you like. However, if you expect web devs everywhere to use "the standards" and write correct code, I have some tropical beachfront properlty to sell you - in the High Arctic. Interested?

What "conjecture" are you referring to? Are you refering to my comment "No one has one tenth the experience MS does with solving problems with seemingly impossible security flaws"? It's fact, not conjecture. Heck, this is what you guys quickly point out about IE--there have been more security problems with IE than any other browser, this I believe most people agree with. If MS has fixed 10 times more problems than Mozilla, is that not ten times more experience? That's the whole point of my earlier post--MS has more experience when dealing with security flaws, period!

look above--you believe what you want, MS has had alot of problems they've had to fix, and so far they have done reasonably well. I don't know the issue in which you refer, but I recall something that Secunia "reported" that was a load of hogwash, even deleted from their web site, then something that looked similar was found later with IE and Secunia claimed they tried to inform MS about it for months and the issue was rewritten and posted as something that was 6 months old when it was not. I could be wrong--really...oh yes and spoofing is stupid but it can get pretty deceptive sometimes. Remember that virus that looked just like an MS web page for a virus fix?

"MS, however, has a much larger responsibility as the vendor who leaves the most consumers vulnerable...they also need to change the default settings with IE to make it secure out of the box, and force people to learn how to make it insecure if they want it that way, not the other way around."

I agree with you there!

Whoa there, big fella. THIS from Squire72 is the conjecture I'm referring to:

"If MS had implimented the IDN feature, they undoubtedly would have taken longer to fix the issue than anyone."

As far as it goes, that's just FUD.

Anything Secunia claims is immediately suspect - they are NOT a reliable source of security information as far as I'm concerned.

If you look at the actual record of time taken to produce patches for known issues within microsoft, you'd have to retract that statement.

MS has a history of taking many months to patch issues they know about, which is entirely unacceptable, given they obviously have the ability to create and test effective patches within days, given the developer base they employ.

Either their developers are weak, constrained by policy, or are told to focus on other issues, and ignore the security issues until they become publicly known... any of those options are irresponsible and unacceptable considering their web browser leaves Windows in general brutally vulnerable to many exploits in an unpatched state...

And their stated policy of limited updates to IE on versions of windows previous to Windows XP - leaving those systems open to serious threat - is utterly irresponsible and devoid of reason.

Oddly enough, when Netscape was the dominant browser, they (Microsoft) came out with new features (which are causing the problems now) far faster than they've ever come out with any bug fixes...

If Firefox does nothing else, maybe it'll push MS to bring IE up to the level of quality that Mozilla and Opera users have come to expect, rather than the current garbage MS is pushing as a web browser.

Ever use MS Premium Support?

Not slow.

*I* wouldn't support platforms that were five years old, especially if they were on a long-dead architecture (9x) - it's not cost effective.

I have no idea how MS programmers work, from a policy perspective or otherwise. I would hardly expect them to be weak, given that they recruit directly from some of the best universities there are. I will say that they are a big company and as many such are, they are focussed forward. To that end, I would expect to see new developments in new products and not retrofitted on to old ones. That's life in the big city, otherwise known as big business. In that regard they are no different from any other large software vendor.

Speaking from a security perspective, I'd have to say that a lot of the security hole hype is badly overblown. Much of it requires you to have sacrificed a virgin at the full moon on the Martian Colonies after willingly surfing to a site known to be harboring such-and-such an exploit. That's just pure FUD. Ever hear of the Prudent Man Rule? IE was tightened up in SP2, a packet filtering firewall was put in place and default settings were changed. These are stopgap measures until Longhorn. Personally, I'm yet to see ANY of these exploits that folks like you are forever trumpeting. This is not to say that they don't exist - this IS to say that their existance is BADLY overhyped and overblown by both the popular press (hey, it sells) and the other camp (it of course suits them to do this).

In short, I give the alarmists little credence. Spoofing on the other hand I have seen. A scam was run recently where a major bank had its front-end duplicated. THAT'S a real and present danger.

Damn man, are you for real?

The problem is not with the FireFox browser or any other browser for the matter, the problem is with the IDN standard. Microsoft decided not to implement this standard, and that’s because they are lazy not because they anticipated this problem.

What would you say if the problem was in the HTTP protocol? Would it still be FireFox fault?

I wouldn't expect paid support to be slow.

Nor would I expect to pay for flaws in an operating system or browser I paid for to be fixed in a timely manner.

As far as not fixing critical flaws in earlier versions of windows, that is complete garbage. IE 6 should get all the same security support on all the platforms it runs, and big business, MS's big customer, still runs more Windows 2000 than Windows XP - plenty of Windows Enterprise is still on NT4. Not protecting those customers as a means of forcing them to upgrade software that works?

Extortion.

Encouraging them to upgrade by offering improvements in features and useability is a great thing to do - but forcing them to upgrade as a way to protect themselves against software they bought with reassurances the software was secure, then saying "well, sorry - if you want something secure you have to upgrade"

That's bad business.

"The problem is not with the FireFox browser or any other browser for the matter, the problem is with the IDN standard."

I am fully aware of that! The points I make above are that a). MS has more experience fixing patches than other companies, and b). OPEN SOURCE has its drawbacks, kinda like em...IDN! I thought I was pretty clear above but apparently not.

"Microsoft decided not to implement this standard, and that’s because they are lazy not because they anticipated this problem."

How can we know? I'm sure that MS decided not to implement this for good reasons, while I do agree they probably did not forsee this problem either.

Three letters:

I - B - M.

They popularized that business model back in the 70s and now *everyone* follows it. As a most recent example, Symantec AV Corporate Edition 9 (henceforth referred to as SAV9 - I'm lazy) has a significant bug that causes it to conflict with System Restore. This was brought to their attention last summer. They took six months to come out with a workaround. Not a fix. A workaround,. Now SAV 10 is in the offing for Spring release so guess what - SAV 9 likely won't be fixed. Is it right? No. Is it big business? Yes. Is it likely to change? Do you believe in the Tooth Fairy?

Welcome to reality.

The problem is there are a lot of MS customers still using those older OS's. A lot of people are using Win2K. There isn't that much of a difference between Win2K and WinXP (they're both NT 5, afterall). Yet MS is forcing people to upgrade their OS for what? A bug fix in a browser? Gee, thanks. Some sites require IE. If I want to go to those sites and feel more secure, I have to shell out at least $90 to get a new version of the browser that will be updated regularly. Yeah, that's innovation.

As far as standards go, I would much rather deal with a company that uses observed standards instead of creating their own. If there's a problem with the standard, there will be a lot of people working to fix it. Once addressed, those who use the standard will fix their code to remain compliant. If there's a problem with a proprietary mechanism, who's going to fix it? Those who wrote it. That's it.

As far as Firefox getting attacked, or having holes for Phishing, it was only a matter of time. MS gets attacked because they're the biggest fish to attack. Why go after the guppy when there's a shark to be had?

Regardless.

It's not a defensible business practice.

Saying "That's just how they do it"?

Much like saying that countries that violate human rights aren't doing anything wrong, because it's their country, and it's how they've always done it.

It's bad business, and it's awfully hard to support companies who practice it, or take seriousuly those who would.

"I'm sure that MS decided not to implement this for good reasons..."
Do you have any good reason why MS decided not to implement the W3C specifications as they should? They don't give s*** for specifications, they just do what they want.

Sure open source has some drawbacks, so? What's the point here? It's not like MS with its non open source products are perfect. Bugs exists everywhere, open source or not, I just don't see what’s your point here.

I am really speaking more to hard-core MS haters who think FireFox is the magical Utopia browser that even if it doesn't become #1, at least it will hurt Microsoft. That way of thinking is annoying among many other things--I openly say I'd prefer IE over FireFox any day, but I don't say MS should eradicate the evil FireFox villans--competition is a good thing. Heck, a browser like FireFox is needed if nothing else so that Microsoft will improve their browser. For the record yes, MS is far, far from perfect.