<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 03/23/2009 02:33 AM, Allen Tom:
<blockquote cite="mid:49C6D8EE.9010802@yahoo-inc.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
Hi Andrew,<br>
<br>
Thanks for the follow up, as Breno and I have stated a few times, we
believe that from an anti-phishing perspective, the popup is equivalent
to the existing full browser redirect UI. If the concern is that the
browser chrome is spoofed in HTML, then I believe the special EV cert
green address bar visual indicator would also be vulnerable to spoofing
on IE and Firefox, although the treatment might be more spoofing
resistant on Safari (the visual indicator appears in the browser's
title bar).<br>
</blockquote>
<br>
Your assumptions that users will notice the difference between a window
with and without address bar are basically wrong. A small research
would tell you that most users will enter their details anyway.<br>
<br>
Which leads us again to the issue of user/pass pairs and their
usefulness (no matter what visual indicators and helpers are
presented). However a full page might protect some users still protect
better than a small pop-up...<br>
<br>
<div class="moz-signature">
<table cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>