Jeffrey Altman wrote:
Solving the phishing problem requires changes on many levels:

(1) Some form of secure chrome for browsers must be deployed where
    the security either comes from a "trusted desktop" or by per-user
    customizations that significantly decrease the chances that the
    attacker can fake the web site experience.  (Prevent the attacker
    from replicating the browser frame, toolbars, lock icons,
    certificate dialogs, etc.)

(2) Reducing the number of accounts and passwords (or other identifiers)
    that end users need to remember.  With a separate identifier for
    each and every web site it is no surprise that my extended family
    can never remember what was used at each site.   Therefore, it is
    not much of a surprise when a site says that the authentication

(3) Secure mechanisms must be developed for handling enrollment and
    password changing.

  What we really need is something similar to the built-in "remember
my password" functionality of current web browsers: the browser keeps
track of a login/password/certified (ie TLS certificate-backed) DNS name
tuple, and if it ever spots the user entering said login/password into a
different website, brings up some form of dialog alerting the user to a
potential phishing attack.

The downside, of course, is that:

a) It wouldn't handle password changing,
b) Some people use the same login and password *everywhere*,
c) Once you change browsers or computers, all bets are off (because the
new browser doesn't know anything about which passwords you use where).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to