Quero Toolbar for Internet Explorer: A review
The Quero Toolbar, by Viktor Krammer, is a replacement for the standard Address Bar in Internet Explorer 6 and 7. It brings added security and accessibility to the browsing experience. It brings the capability to zoom (magnify) web sites for easier reading, something that is not available in Internet Explorer versions earlier than 7.
Security
IDN spoofed URLs as handled by Quero Toolbar
Prior to 2001, all domain names were specified in US ascii characters, each of which had a unique appearance as set in type on paper, as seen on a video screen, and as sent over a computer circuit. Back in 2001, a process was initiated whereby internationalized domain names can be specified using non-English language scripts and alphabet characters that are beyond our Latin alphabet, and beyond the US ascii character set. See this site for some background on IDN. The author was promoting a more conservative approach whereby the character set would be expanded to include a broader set of unique characters, but my understanding is that the all-out approach was adopted, and therefore, we now deal with characters that are identical in appearance to the eye, both on screen and in print, but which are different. This allows for domain names to be spelled out in local languages, but also adds confusion and chance for chicanery. There are numerous characters from foreign language alphabets which are typeset and look identical visually to Latin characters. Character а "а" and Latin character a "a" are two different characters, but appear identical in the visual view. Therefore, when interpreted in our codepages and charsets, a domain name like "www.paypal.com" (the real Paypal) and "www.pаypal.com" (a potential phishing expedition) cannot be told apart in links. These are two entirely different domain names, one of which points to the email payment company, and the other which actually points to a web site that demonstrates this spoof.
To prove this point, bring up the find command on your edit menu, type in www.paypal.com, and search the page for that term. Not everything you see as appearing to be "www.paypal.com" will be highlighted in your search.
Hovering over the spoof site in Windows XP SP2 with IE7 installed and Quero Toolbar disabled, shows :
"www.xn--pypal-4ve.com"
in the Status bar, if that is turned on. Many people have this bar, located across the bottom of the browser window turned off in order to give that space over to the web site view. Windows XP SP2 and Internet Explorer 7 without Quero installed or enabled, will take you to the spoof web site, and a yellow bar will appear across the top of the window stating , "This web address contains letters or symbols that cannot be displayed with the current language settings. Click here for options..." The address bar shows:
"http://www.xn--pypal-4ve.com/"
and there is a gold shield in the lower left corner of the status bar with an exclamation point. This result may be from Microsoft's phishing filter. However, you have clicked on what looks like a link to www.paypal.com, and you are being shown the content of a page that is not that of Paypal. If this were an evil site, it could have the Paypal home page looking as real as the actual Paypal site, waiting to steal your password and access id for Paypal, and then to steal your financial information.
This is why Paypal advises that you type their domain name in to your browser from the keyboard, and not follow a link. It is possible to replicate what looks like Genuine PayPal on a fishy site, using tricks with foreign-language glyphs.
This article continues below.
With Quero Toolbar in place, you will be warned upfront that you are visiting a fishy site. Here, I am visiting http://www.shmoo.com/idn/, a site which demonstrates the IDN problem, and have just clicked a link that looks like www.paypal.com. See this screen shot:
Note that the "a" in "paypal" is shaded in the Quero address bar, with the shaded word "Cyrillic" at the right end of the address bar. This is pointing out the letter which is not really what you think it is, and what language it is from. Also note the address in the status bar, which is the resolved address. Also, note that you have not left the page that contained the link. You have not been sent to the spoofed page -- yet. Also note that you may proceed, now that you have beern duly warned, or you may cancel the move. Visit http://www.shmoo.com/idn/ for live demonstration links that show you how your browser and operating system handle this situation. It is safe to visit the spoofed links in this demonstration site, but that is not always the case.
Just for kicks, I visited the Shmoo site with Firefox, and there I saw www.paypal.com as the link text, and when I hovered over it, the status bar showed the real address. But not paying attention to the status bar, I clicked on the paypal link. Firefox took me to the spoof site, displaying the real address in the address bar. There was no other, additional warning issued.
Other URL Warnings
The Quero Toolbar will issue similar warning dialogs when encountering a url that contains characters that cannot be displayed by the installed font. Quero's FAQ page offers a demo link to "I.com" which is actually xn--f9jxf.com.
Quero also warns of a link containing an address that does not conform to the specification. The FAQ offers up a link made up of "www.(64 characters).com. There is no "Proceed" option to continue to the site.
I am revising the remainder of this section from its first publication, leaving the reference to rfc 1123's section 2.1 for historical reference only. I don't believe it to be germane to this discussion, and it was misapplied in my original writing, bringing me to an improper conclusion. I have since learned, for instance, that there is no such thing as a Web address with more than 63 characters in the part called a second-level domain (SLD) ("wb7tjd" in "wb7tjd.org". There is no harm done by Quero's refusal to let you go on to the site.
As a point of fact, I tried registering a long domain name, and found the registration form stopped taking input after 63 characters were entered. There are also many sites claiming to have the world's longest domain name, each one having 63 characters in its SLD. A Google search should find examples of the "world's longest domain name."
The Internet specifications in section 2.1 of RFC1123 requires that "Host software MUST handle host names of up to 63 characters and SHOULD handle host names of up to 255 characters. "
More security features
On the right end of the Quero address bar, a 123 icon appears when there are digits or hyphens in the domain name, with the digit highlighted. This helps to identify a site whose name may be confused because a digit 1 and a capital letter I or lowercase letter l may be identical in appearance. Similarly, a 0 and capital O are often mistaken.
An IDN icon appears to indicate an International Domain Name is displayed.
A padlock icon in the right end of the address bar, coupled with a yellow background in the address bar, highlights a secure connection, beginning with https://. Clicking the padlock will display the certificate for the secure site.
A wastebasket icon indicates that the Quero ad blocker has blocked content on the site. Click the icon to display the blocked content.
Replace the Address Bar, Search Bar and scattered buttons in Internet Explorer 7
This image of the Quero Toolbar has every button made available. From Left to Right, they are Back, Forward, Refresh, Stop, Home. Over on the far right is a Go button. Each of these buttons can be hidden on an individual basis from the Quero Options screen. This Go button sends you to the search home page or to an address in the address box. Hitting enter after typing in the box will accomplish the same thing, and therefore Go is not necessary.
Among the list of improvements in version 3.3.0.0 is addition of descriptive tooltips for the various buttons. The Highlight feature, which produces highlighting of selected text, usually search terms, was revamped to make a single highlight span a quoted phrase, rather than show individual colors for each of the words in the phrase. Additionally, the code was strengthened to avoid a crash that was occurring on my computer when highlighting was used with certain web sites, as a result of my feedback to the author's support link.
Quero replaces the native address bar and its set of buttons, on either Internet Explorer 6 or 7. This adds a number of advanced features to IE6, and duplicates some features found in IE7.
Quero features
Quero has a Frequently Asked Questions page which explains a lot of features that I haven't fully realized exist. Please refer to it to get answers to things that I haven't fully covered here.
Quero menu options
By left-clicking on the Quero logo, a dropdown menu opens up to display a host of features and options. Menu options are listed below:
- Find Next -- Visible if a search term is entered
- Find on Page -- Allows selection of search terms
_________ - Hide Flash -- On or off
_________ - Search Profile -- Lists several countries for which a set of search engines is available; we use Standard.
- Default Engine -- Select your choice
_________ - Highlight -- Toggles on or off.
- Block Ads -- On or off -- More fine adjustments available in Options
- Block Pop-Ups -- On or off -- Also more available in Options
- Resize Window -- Set browser window size to common screen resolution sizes
- Zoom -- From 50% to 400%, adds this feature to IE6.
- Clear History -- Empties the Quero use history buffer
_________ - Options... -- Opens a dialog box; see next section.
- About Quero
Options...
The Options dialog contains five tabs:
- Settings
- Ad Blocker -- Adjust Pop-Up and Ad-Block behavior
- Appearance
- Security
- Advanced
Advanced, User-Agent String control
Among the options here is the ability to change the User Agent string content. The UA string reports to a Web server the type of web browser and operating system in use, such information being added to the server's activity log. A typical UA string might be:
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
There are four text entry fields titled, "Prefix," "Compatible," "Version," "Platform." One is left to guess if one is not familiar with this area, just exactly what should be put in there. The default string is not shown in the boxes to act as a guide, nor are there sample strings made available as is the case in Opera browser's implementation. However, through trial substitution, I was able to identify which parts of the string are replaced with the text entered in the boxes.
In the box named Prefix, Internet Explorer passes itself off as Mozilla/4.0, where the numbers after the slash are the version number. Mozilla browsers use Mozilla/5.0 here. I understand Opera calls itself Opera.
The open parenthesis comes between the Prefix and Compatible fields. The word "compatible" appears in the Compatible box, followed by a semicolon that falls between the Compatible box and the Version box. Firefox puts the word "Windows" here.
The browser name and version go in the Version box. Internet Rxplorer puts MSIE 7.0 in here, adjusting the numbers to fit the actual version. Firefox puts the letter "U" here.
Windows XP is identified as Windows NT 5.1, and the ".NET CLR 1.1.4322)" appears to ride along regardless of what is entered in the boxes. Firefox puts "Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" here, which seems to be where the Firefox identity resides. I was able to pass myself off as using Firefox with this string, but there's gotta be a better way of emulating other User Agent strings.
Ad Blocker
The Ad Blocker page gives you finer control over ad-blocker and pop-up-blocker functions, with a site list where just the right action can be further tailored.
Most other areas of Quero's Options screens are relatively straightforward. You can customize many of Quero's options and behaviors, though the default settings are pretty good starting points.
Searching with Quero
Quero allows search terms to be entered directly into its address bar, negating the need to visit your favorite search engine's home page to begin a search. With Quick Type selected in Options, typing in the browser window will automatically go in to the address bar, unless you are focused on a form field in the web page. With Quick Find also checked, typing in the browser window will locate the first instance of any word or set of 3 or more letter sequences typed into the address bar, on the page.
With a search term in the address bar, a magnifying glass icon appears on the left side of the address bar, and can be clicked to bring up the next sequence of the search terms. For instance, I just typed in "147" while on the home page of our site and counted 11 instances of this sequence on the page. At the end of the page, a ding is heard and the search starts at the top of the page.
From the Quero menu, Find Next can be used to perform the same thing, and Find on Page will locate the first instance.
Search Box
The Quero Search Engine box displays the default engine upon browser start. The default can be selected from the Quero menu. To select from a list of engines, just click on the search engine box to open a drop-down list and then click on the name of the search engine to use, and if you have search terms in the address bar, those terms will be executed on the chosen engine. Click again and choose another engine, and the search will be executed again on the new engine. If an address or nothing is in the address bar, a search engine's home page will be brought up.
Following is a list of the search engines in the standard search profile. (You cannot edit or customize the search profile, but you can ask to have new engines added in the next version of Quero):
- Live Search
- Yahoo!
- AlltheWeb
- Ask Jeeves
- Vivisimo
- dmoz
_________ - Dictionary
- Wikipedia
_________
Additionally, IMOb, Amazon, PriceGrabber, MSN Money, Weather, Yahoo People, Yellow Pages, Google Maps and Yahoo Maps round out the list.
Put your zip code in the address bar and get your local weather with the weather choice.
Conclusion
Overall, this Toolbar adds many fine security improvements and conveniences to the browsing experience. It does make the transition from Internet Explorer 6 to Internet Explorer 7 more smooth, as it allows one to revert more to what one was accustomed to in the earlier version.
I have to note that my use of Quero has been with the EnhanceIE tweaks already in place when I was first introduced to Quero Toolbar. The Toolbar can be located anywhere below the title bar and above the tab bar in Internet Explorer 7, and if you are still using IE6, it can be located anywhere you can move toolbars to.
While in IE6, you can turn off the address bar, and in IE 7 there is no wa to do so, Quero provides the ability to hide the address bar from its options page.
An option exists to have Quero send a Web address to the chosen search engine if the address does not exist, or to let Internet Explorer tell you the page cannot be displayed.
The Back Button history is something IE7 left out as it was in IE6, and Quero Toolbar brings History back the way it worked on IE6. Right-click the Back button and go back in history to select a page previously visited.
All in all, this free toolbar is a welcome addition to the Internet Explorer browsing environment. I say "free," as there is no price or any nag to contribute. There is only a link on the About page if you wish to contribute financially toward the developer's time and effort to put forth this piece of work. Nothing more.
I rate Quero Toolbar as First Class.
-- Larry, WB7CRK -- Webmaster, WB7TJD.org
Addendum
Two additional thoughts I wish to pass along -- There are several themes available on Viktor Krammer's web site, that provide differing styles of buttons, besidess the ones pictured here. I also wish to share his e-mailed comments with the audience.
Hi Larry,
Thank you very much for your great and detailed review. I am very happy with it and I have already updated the link in my review section on the press page. I am also considering posting a news entry about your review when I have time because it provides such a good starting point for novice Quero and IE7 users.
One thing I want to note is that you say that Quero does not support 255 byte host names. Actually, according to the RFC 2181 standard, the 63 byte limit applies to individual labels in the host name and the 255 byte limit is rather meant for the host name as a whole.
RFC 2181 Clarification to the DNS Specification section 11 "The length of any one label is limited to between 1 and 63 octets."
Another thing I have learned only recently about RFC standards is that they are being updated over time, so one must be cautious that something has not changed in an another, newer RFC standard .On the other hand many of the new standards or only proposed standards or drafts and may change in the future.
Best regards,
Viktor Krammer
--
http://www.quero.at/
The New Web Experience