Re: mozilla.org short term IDN/punycode spoofing strategy

CarlosRivera Mon, 21 Feb 2005 08:06:42 -0800

Everybody's 20 sites is easy to deal with. Its just like cookie dialog, add it, reject it (and remember site). The domain hashing is interesting, but I would probably forget the symbols. One could also just have a hash number instead of showing symbols representing 4096 possibilities, one could show a number of hex number as well. In any case, if naive user don't know to look for https, then this would not help much. I would rather white list my SSL sites.

I think the URL you meant, is (s was missing):

http://www.gerv.net/security/phishing-browser-defences.html

Gervase Markham wrote:

CarlosRivera wrote:
This might be a bit drastic. The sites that one would want to protect against are https like paypal, banks, ebay and so forth. How about having a white list of https sites?
We couldn't have a global whitelist - everyone's 20 sites is different to everyone else's.

If you mean a personal whitelist, that's what the hashed SSL domain history proposal is about. http://www.gerv.net/security/phishing-brower-defences.html

Gerv

_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security

Re: mozilla.org short term IDN/punycode spoofing strategy

Reply via email to