[EMAIL PROTECTED] wrote: > > Hi all, > > I've come up with an idea for peventing phishing, I would love to > hear everyone's thoughts:- > http://www.thespanner.co.uk/2007/04/11/how-to-prevent-phishing/ >
I think where this sort of approach falls down is the assumption that users will notice if the login page deviates from the usual. In practice, users are quite accustomed to web pages drastically changing every now and then due to new UI or graphic designs. I suspect that there is even a small subset of users that would happily respond if prompted to a message saying "In order to continue we need you to enter your passphrase" on a fake site. The general case of this problem is that these solutions present something in the "safe" case that is absent from the "unsafe" case. This needs to be the opposite: there needs to be nothing special in the "safe" case, and a big red flashing box with bells on in the "unsafe" case; unfortunately, detecting the "unsafe" case is a difficult problem... but we all know that already. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
