There still remains the issue that you can provide a good visual approximation to any peace of software just by using JavaScript and HTML. I fear that too many users would fall for that. 8-(
We think that the trusted credenatials and logo area will provide some protection against this as well,
since you get very clear indication of running an insecure site (see screen shots)... of course I agree with you that we should validate this intuition with user studies (and I'm trying to arrange these).
Agree!
In considering such solutions, it is important to distinguish threat models. Phishing is so harmful because it succeeds without even breaking in to users' computers.
But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal?
The Gartner study I've cited in my paper (off my homepage), and some other publications I've seen, claim very high actual damages.
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & security)
begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com version:2.1 end:vcard
