W3C home > Mailing lists > Public > www-html@w3.org > May 2006

Re: Suggestion to HTML form element to compat phishing

From: David Woolley <david@djwhome.demon.co.uk>
Date: Tue, 30 May 2006 21:03:32 +0100 (BST)
Message-Id: <200605302003.k4UK3WK00807@djwhome.demon.co.uk>
To: www-html@w3.org

> 
> 
> phisher's aren't intercepting unencrypted passwords, they are
> recreating login pages. People who fall for this won't know the

A lot of banking sites use a crude form of challenge response system
by asking for only certain characters from the password.  Anyone who
responds to a request for the whole password or to repeated samples
of different characters is a lost cause, and for the rest, the 
phisher would have to go man in middle (I generally throw them
out on the subject, and have never clicked through, so I don't
know what they actually do).

> difference. And if you store a salt in plain text, can't that simply
> be scraped?
> 
> These are two different issues. One is thwarting fake login pages, the
> real problem. The one you are addressing is unencrypted login, this
> can be solved simply by using SSL/https

It needs another problem solving, which is to educate ordinary users that
SSL is about authentication, much more than encryption, as most will
not check the address.  (If they did this throroughly, they would't
touch the majority of e-commerce sites, as the address wouldn't match
the business name.)

Of course, using SSL in authenticated client mode is likely to be even
more secure, but too technical for most.
Received on Tuesday, 30 May 2006 21:49:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:16:06 GMT