Comments: Phishing an epidemic, Browsers still snoozing

Take a look at SpoofStick. It is a kludgy way of verifying the URL that has been clicked through.

Not a bad idea:

Posted by allan at June 16, 2004 01:45 PM

Yes, that's the spirit - this feeds nicely into the branding idea: place a branding box on the chrome (can't be written over) that presents information that the browser can determine.

Prime amongst the features I believe is 1) presentation of the CA cert that is used and 2) the count of visits - both of these should be displayed in a way to encourage the user's memory.

Two additional things in the 4 point plan: 3) stop warning about Self-signed certs and instead display it in the branding box. 4) Also, for servers, bootstrap into self-signed certs.

Posted by Iang at June 16, 2004 03:04 PM

Many corporation have responded by shutting down access to simple information that might be used to reveal the true identity and thereby hope to avoid a phishing attack on their online client base. By protecting their Internic Whois Information they are removing a database that the browser might be able to use to verify the entity sending the webpage or for that matter the email that invites the attack.

So the response has been one of shuttering the information and making it hard for those that wish to steal a method to fabricate the identity; that response is more typical of an ostrich and begs for the complete opposite, an open more revealing means for their valued clients to verify their identity. This can of course be done with any number of features one mentioned, is the browser being altered.

But what if it is as simple as all communications for this company with its online clients use a particular IP address rather than the alpha .com or whatever. Since these numbers can be unique why not simply use them as that?

Posted by Jim at June 16, 2004 06:56 PM
MT::App::Comments=HASH(0x222a890) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.