Greetings,
We've had occasional issues with fake CAS login sites, and I'm wondering
what current anti-phishing measures might be available to the CAS web
server (I see a slightly outdated mention of the topic on
https://wiki.jasig.org/x/FgnP).
Foremost is user education--instilling the Internet analogue of "street
smarts". Unfortunately, there's always someone who isn't paying
attention or, in some cases, a bit of a language barrier understanding
nuance in phishing emails, web pages, ....
At the server level, one method is to place either a short expiration or
'no-cache' directive on static content (e.g. css) and, on detecting a
non-local HTTP 'Referer' header ("hot linking"), block access to alter
login page presentation, or redirect an access-denied page (with
additional educational content).
None of this is bulletproof; they're only layers to reach a fraction of
low hanging fruit.
Other ideas?
Thanks.
Tom.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
