Tyler Close wrote:
The first is that the current UI does not enable even an expert user
to reliably detect a phishing attack. This failing must be corrected
before we have any hope of helping the naive user. All of the widgets
in the current UI contain information provided by the attacker. The
URL, the page content, the SSL certificate (if any) are all data
elements provided by the attacker.
That's not entirely true. The URL is sort of provided by the attacker,
but if the domain doesn't match the domain the user is looking for, they
can notice this using the domain indicator.
The SSL certificate is also only under the attacker's control to a
certain extent. Again, they shouldn't be able to get a cert for a domain
they don't control, and if they do control the domain, the values in the
cert are not quite arbitrarily choosable.
I agree we need to do better in this area, and we will be doing so.
The recent Shmoo attack is a good demonstration of how
difficult it can be to discover a discrepancy.
As I hope you know, we are working on dealing with this issue. The fact
that users can be fooled by this is a problem/bug, but it's not one that
can be used to reason that our approach is wrong.
Secondly, I think it is difficult to argue that the petname tool is
harder to use than other elements of the browser UI.
I don't think anyone's arguing that it's _harder_ to use. My argument,
certainly, is that people will not use it because it involves effort.
Gerv
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
