Comments on: Browser-based mitigation of phishing attacks

By: Kim Cameron’s Identity Weblog » Can browser-based plugins solve the phishing problem?

Mon, 12 Feb 2007 05:35:12 +0000

[...] Dready blog proposes writes about OpenID phising and proposes a browser plugin that introduces a delay in the dialog box before it can be dismissed. The OpenID phishing issue is a hard one to solve, particularly because it aims to: [...]

By: wil

wil — Mon, 22 Jan 2007 00:40:47 +0000

@Claus:

This is just how Firefox displays IDNs where the TLD is not on their whitelist (and “.com” is not.) For IDNs on the whitelist, this will render properly in Unicode.

I should have made this clear and show just an ASCII case, thanks for the clarification.

By: 3247

3247 — Sun, 21 Jan 2007 23:48:34 +0000

Your example shows the domain name in ACE format (xn--pypal-4ve.com). This is only a good idea if the real domain is not an IDN.

For users of legitimate serves not using pure-ASCII domains, this will make any comparision impossible.

By: =marcin

=marcin — Sun, 21 Jan 2007 18:47:14 +0000

I posted my remarks to list, but I’ll repeat them here. In my opinion it is not the issue of effectiveness of warning. While idea of “delay box” is good, the problem noticed here:

“phisher can replace the password input field with javascript / DHTML / flash to bypass the check”

is more vital. My idea is: if phisher wants to bypass the check, we should warn the user. How? By NOT changing browser UI.

So my idea is: let’s change browser UI in a significant, visible way on every page that contains password field. Let’s warn users if password field looks suspicious. And let’s NOT change UI if it’s not a password field. User will notice the difference.