Duane <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > Ian G wrote: > > The first thing that strikes is that the IDN/Shmoo thing > > is not a bug but is a feature. It's doing what it was > > intended to do. Indeed, one of the browser manufacturers > > said that in the Shmoo advisory (but just saying that is > > not a sufficient response!). > > Actually it just occurred to me, we have started to get everyone > checking the lock for SSL, and I've seen on one of the bootable cd > distro's based on ubuntu (beatrix) that the domain is shown next to it > (although it's showing paypal.com in this case, not the > xn--pypal-4ve.com), why not show the damn domain and some other symbol > to stand for unicode domain, some sort of weird flag that looks cool > maybe? :) > > If the domain next to the lock/flag doesn't match up top then > something's a miss... Obviously the finer points of implementing this in > a sane manner so as not to trip over valid domains is another issue...
Nice idea, here is my approach to this (I just posted a very similar post to netscape.public.mozilla.browser. Appologies. I only just realised this was a more appropriate group. I'm new here.): When a user browses a bookmarked or frequently visited domain a 'star' (or some other simple symbol) appears at the end of the URL (or next to where the SSL Padlock icon appears in the browser). The user could now easily identify that they are indeed browsing on one of their favoured websites. The browser itself is able to know this because it can grab a list of domains from the users bookmarks and look in the users history to see frequently accessed domains, for example sites accessed on more that 10 separate occasions (this figure could be set to something more suitable, it is just an initial guess at a good figure). If you are a Paypal user for example you are likely to have Paypal bookmarked or at the very least you will probably visit it regularly. If some website or email links to a fake Paypal then when the site loads the star will be missing from the address bar field since it will be the first time you have used this fake site. Hence it is easy for the user to see something is wrong. Hopefully users would get used to the idea that their favourite sites always display a star in the address bar, so this would start to become obvious. Maybe it would require educating the users about what the star is and why it appears there but this had to be done when the SSL padlock was first added to the browser. I reckon people would pick this up in no time. I have suggested this on the Opera forums (I'm an Opera user). I have had some criticisms of the idea. For example someone pointed out that the first time you visit a new safe website no star would be present. Also, not all people use bookmarks extensively. My response has generally been along these lines: When you first visit a site you don't know if you can trust the site anyway. I'm usually cautious of new sites the first few times. I am that little bit more nervous about giving them personal data or credit card information hence I check the site out more carefully. I bet most people are the same. Furthermore after you have come back and used that site a few times and hence presumably are happy with it, it would move to one of your most frequently visited sites (or you might even bookmark it). After this point a star would display. Regarding bookmarks, it is true that many people don't use bookmarks and in the age of Google you might even say why bother but many people do and if people knew that by bookmarking a site they could later verify it was the same site they had been to previously they may be willing to start bookmarking again, even if only for financial sites. Instead of bookmarking (or even in addition to bookmarking) you might also have the option of clicking on a button to say, "remember this as a known domain name", form that point on it would also show a star. It does not solve all issues but it makes it a damn sight easier to pick out when you are on a fake version of one of your favourite sites, which is the main issue as far as I can tell. Also, it requires little user effort (worst case, you do the one time action of bookmarking the sites you are worried might be spoofed). Finally an extra advantage of this method is that it helps prevent other types of spoofing, for example when fraudsters substitute ASCII characters (e.g. '0' for 'o'). Anyway if you think it is a good idea feel free to spread it around as a suggestion to anyone who you think might be influential in development of any of the popular browsers. Or anyone good at writing plugins! Originally take from my website: http://www.panix.com/~ruari/browser_spoofing_solution.html _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
