Re: Suggestion to HTML form element to compat phishing from Anthony Ettinger on 2006-05-30 (www-html@w3.org from May 2006)

From: Anthony Ettinger <aettinger@sdsualumni.org>
Date: Tue, 30 May 2006 09:20:35 -0700
To: "Ka Cheung Sia" <kcsia@cs.ucla.edu>
Cc: www-html@w3.org
Message-ID: <3fc6b2fb0605300920x50cb6746v1966b134389d4b4e@mail.gmail.com>

phisher's aren't intercepting unencrypted passwords, they are
recreating login pages. People who fall for this won't know the
difference. And if you store a salt in plain text, can't that simply
be scraped?

These are two different issues. One is thwarting fake login pages, the
real problem. The one you are addressing is unencrypted login, this
can be solved simply by using SSL/https

On 5/24/06, Ka Cheung Sia <kcsia@cs.ucla.edu> wrote:
>
>
>
>
> Hi,
>
> As we know, phishing activities are very active in the Internet
> nowadays. Such vulnerability of phishing is partly because we allow a
> user's password to be sent in its plain format to the server side; it
> makes the phishers able to collect username and password by setting up a
> fradulent website that looks like a legitimate one and tempt the user to
> input their secret information. I am suggesting to add a new attribute
> within the HTML input element to improve what we are currently using
> (<input type="passowrd"/>) for password input. The new attribute will be
> something like (<input type="challenge" param="some random string"
> value="......>). The broswer will render this as a password box similar
> to what we get right now, but when sending out the data, it uses the
> value input by the user to encrypt the random string and send it back to
> the server.
>
> As you can see, the idea here is to avoid sending the password in it's
> plain format to the server; instead, it is used to encrypt a string.
> Given a corresponding changes in the server side to generate random
> string with proper timeout period when user access their login page, and
> use the same encryption/decryption mechansim to check against the
> password, phishers can no longer harvest plain password but an encrypted
> form of it. This new HTML input attribute can guard against phishing
> activites nowadays to certain extent. How do everyone feel about this
> addition?
>
> -Richard
>
>
>


-- 
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html

Received on Tuesday, 30 May 2006 16:20:50 UTC