On Wed, Jan 14, 2015 at 1:15 AM, Anne van Kesteren <[email protected]> wrote: > On Tue, Jan 13, 2015 at 9:30 PM, Chris Hartmann <[email protected]> wrote: >> If a phisher >> sent you an email claiming to be okta.com with a link to a fake but >> believable hostname, say otka.com (see what I did there), you happen >> to click the link and are on the verge of providing your credentials, > > Yeah, that's the concern. > > >> When yourcompany.com formed the business relationship with >> okta.com it could perhaps share a bit of digitally signed data, say >> digitally sign the url to the login page (www.okta.com/yourcompany) >> and embed that in response. > > Given that the current address bar UI already has limited utility, > it's not clear to me what making it more complicated will actually > help users. >
Yeah, I also have the sense any proposed UA/UI change is going to be highly scrutinized and be a point of resistance. But I have yet to conclude how social engineering attacks can be comprehensively addressed without at least partially arming end users with something to help them make these important correlations. Trust by affiliation is a real thing that we do in the real world, although these affiliations are hard to verify, they work in general. In the digital world fortunately we can have machines verify these affiliations with an extremely high level of certainty, I'd argue people should be able to perceive these to formulate trust. > > -- > https://annevankesteren.nl/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
