CarlosRivera wrote:
This might be a bit drastic. The sites that one would want to protect
against are https like paypal, banks, ebay and so forth. How about
having a white list of https sites? This way the attack would not
work unless it is included in one's white list. I would estimate that
I go to less than 20 sites via https regularily, so it should not be a
big deal to setup. It also might have other potential benefits for
other unknown phishing type attacks. I am assuming that folks know to
look for the https and/or closed padlock. Somebody that I know had
their yahoo email, ebay, paypal and other account hijacked had no clue
about https, so this might be a bad assumption.
Yes, this is essentially what is considered the petname
approach. When the user enters an SSL site for the
first time, she is offered an ability to label the site,
which automatically gives it a 'white list' status.
(A petname is a name that is only known to the user,
and identifies an otherwise intractable name like a
key. When the key is seen, the browser shows the
name; if she ends up on a spoofed site, no name is
displayed. The logo ideas of Amir & Ahmad go one
step better by letting the user select a logo which is
then displayed on her 'favourite' site, but won't be
on the spoof site.)
iang
Gervase Markham wrote:
After today's staff and drivers meetings, mozilla.org has decided on
a short-term course of action for dealing with the IDN/punycode problem.
http://weblogs.mozillazine.org/gerv/archives/007556.html
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
