A few days ago Sylvan von Stuppe posted about a proposed change to Firefox 3.0 that changes the way the address bar works. I hadn’t heard this proposal, but it’s an interesting one. Basically they grey out the parts of the URL that aren’t the domain. Sylvan correctly pointed out that although that’s good for showing users that they are connecting to sites other than the one they meant to go to, it has nothing to do with the content on the page. XSS is still an obvious way around this, as the malicious content can be injected onto valid pages. According to Zeno MITRE is about to disclose that XSS is the attacker’s choice.
Although I should say that I do think this idea is a fairly good one, but there is at least one other problem with it. Almost all websites have IP addresses associated with them (except in the case of virtual hosts that also require a Host: header). Just because it’s an IP doesn’t mean it’s bad. I can’t tell you how annoying I think Thunderbird’s anti-phishing filter is to me always thinking every URL with an IP in it is a phishing attempt. That’s just not a good way to know if something is malicious or not. But I would like to see the consumer research that says people will actually use this and not be fooled by it. I’m always a little wary of “look for the ____” type security given how poorly the “look for the lock” security education has proven to work for SSL.