Dear Sir, Sirs and Madams:
1. This pretence of dangerous "phishing" is utter nonsense:-- The problem is, when, an unknown-untrusted source redirects to a known source -doesn't matter whether it puts pretty pictures on the screen - doesn't matter how many redirected-redirects it takes to get there-... any browser worth its security will control the username-password inputs and prevent "phishing".
2. "Unknown-untrusted" does -not- mean signing-up with netsol or verisign (how-ever police-y) ... It's a, sourcing, problem: "Phishing" means -browser-security:-- Tell MS, NS, ..., to fix theirs.
3. Log-in (security) is -not- a request: It's a requirement: Nobody but the Legitimate Requiror can require a requirement!-- If the browser is smart, it'll know that a URL from an e-mail that came via an IP that is not co-owned with the URL, is -not- a Legitimate Requiror ... "duh" ... and if the browser is not so smart, it'll know that any URL that came via an externally sourced page of "information", -not as the log-in'ed website-itself redirects,- is -not- a Legitimate Requiror. (Cf posted e-mail messages, blog-entries, are -externally- sourced information; but "bookmarks" are sourced from -inside- the log-in:- so long as they are not modified externally, as just said.)
4. Browsers have long put asterisks (or boulets) in the password-input on the screen-- proof that log-in security has long been recognized as a, browser, responsibility ... so the browser should not even, ask, for a password if the input box is not on a user-sourced user-requested Requiror page. Clicking on an "information" link is -not- a request for a Legitimate Requiror ... but information; The user must conscientiously -upgrade- any such information to be a request-for-requirement.
5. Any worthy browser can detect the source-security of any-every page, -how ever many steps were taken since the unknown-untrusted source page. Users are busy with ten tasks; Browsers should be assisting the user with instant-reminder of whether each hopped-back-to-task page is trusted ... And when the user wishes to upgrade a page spontaneously the browser should support that decision by verifying the page from the user-readable URL-location -even bolder letters.... Didn't the early MS/NS browsers prevent framed foreign pages from security?-- Why stop?!?
Path history, is what we're talking about here-- simple 1970's-stuff ...
Ultimately I think, proper browsers could eliminate 'spam' by obviating it-- don't ask don't tell.
6. It is no longer clear what your w3.org is about:-- it seems now to dote on verbose xml-coding; But, does xml understand what the suffix "-ment" means in "ele-ment"?-- then why bother it?! Do quotes in xml control subquotes in URLs?-- I think even you don't understand that! ... Even html was beyond comprehension when it paired a-href and img-src --verbose, verbose, verbose! Why is alt (text-idea) used only on img, but -not- on every, locally-interesting font, emphasis, boldness, color?-- The concept of hyper-document-markup-language is so-much simpler than you let-on ... (You're stuck on T-as-in-TV instead of D-as-in-DV ... it should be HDML-- document not text.)
/rkp
acting_President Raymond Kenneth Petry
project 'lambhorn'
Surrogate Executive Accessions Management