- From: <0h3rr3r4@gmail.com>
- Date: Thu, 4 Feb 2016 15:28:38 -0800 (PST)
- To: Security-dev <security-dev@chromium.org>
- Cc: public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
- Message-Id: <ea937aee-7ec3-4ef0-a9e7-d8ff3d4dc824@chromium.org>
I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored? For instance, why a blacklist approach instead of a whitelist? Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank] or [YYY Corp. | online retailer] Simple signs are easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message. I'm sure for banks it would be easier to say: * make sure that you see: [XXX Company | Bank] in your browser Instead of follo all these "simple" tips to "make sure" you don't fall into a phishing scam: 1 - bla 2 - bla 3 - .... 10+ Of course, we could still rely on all that has been already built: digital certificates and connection encryption so that you can authenticate the site and protect the communications behind the scenes. We could even go further with schemes to digitally sign parts of the web page and do all sorts of checks (IP, DNS) to make sure that site corresponds to that company and that economic activity. The beauty is that the end user would still see a sign of trust from a company he/she most likely trusts already: the maker of the web browser. Certificates were not designed to go this far. Nowadays criminals hack into legitimate sites and insert fake web pages in them; users still see the lock being closed and probably a trusted certificate. So even if the communication is secure and the site is correctly authenticated, they just don't know that they are getting into the right site. This scenario is difficult to solve with a blacklist approach. Just an opinion, Omar Herrera
Received on Friday, 5 February 2016 16:23:33 UTC