Working this weekend on setting up a server to run in VirtualBox for testing On-Prem AD to Azure AD integration and had the usual issues getting network connectivity set up. That inevitably led me to setting up browser security so I could get to website.
While configuring Internet Explorer I noticed a setting that really shouldn’t even exist:
Enabling this feature makes your UI look pretty..this setting also makes spoofing attacks much easier. When you hide the address or status bar you’re eliminating a way for the user to verify they’re using the website they intend to. For instance, the user might think they’re at https://www.paypal.com but may instead be at https://paypsl.com because of a simple typo. A script running on the malicious website can remove the address & status bar and impersonate the legitimate site; your user won’t know.
A hacker can typosquat on that domain and collect user/password/any information from your users. Even while using an SSL connection, a hacker can silently collect all of the information your user enters for days, weeks, years–until you discover the hack. It’s called a man-in-the-middle attack and it’s not nearly as difficult to pull off as you might think.
Never sacrifice security for appearance.