[security] Phishing: Bookmarks to the rescue?
Dick Hardt
dick at sxip.com
Sun Jan 21 07:55:14 UTC 2007
On 20-Jan-07, at 11:47 PM, Ka-Ping Yee wrote:
>> btw: we should decide where we will have the conversation. Here or on
>> your blog! :-)
>
> Right, let's stay here on the list.
>
>> I think it is an interesting stab at how to solve the problem -- but
>> I think the core part of your strategy was the lack of the Referer:
>> header, which is easily defeated.
>
> The core part of the strategy, and the core untested claim, is that
> users can develop the habit of using a bookmark to log in. If they
> use the bookmark, they're safe; if they don't, they're not.
Ok. But users supposedly know to look for the lock and at the address
bar, but they still get phished.
>
> The Referer: header is not a phishing defense; it is a training
> mechanism intended to force users to habituate on the safe procedure.
Got it. And this is potentially better training then what they
received for the lock and address bar since it is active, and they
will see it if they don't use the bookmark, so it happens in normal
operation.
-- Dick
More information about the security
mailing list