- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Tue, 30 May 2006 21:03:32 +0100 (BST)
- To: www-html@w3.org
> > > phisher's aren't intercepting unencrypted passwords, they are > recreating login pages. People who fall for this won't know the A lot of banking sites use a crude form of challenge response system by asking for only certain characters from the password. Anyone who responds to a request for the whole password or to repeated samples of different characters is a lost cause, and for the rest, the phisher would have to go man in middle (I generally throw them out on the subject, and have never clicked through, so I don't know what they actually do). > difference. And if you store a salt in plain text, can't that simply > be scraped? > > These are two different issues. One is thwarting fake login pages, the > real problem. The one you are addressing is unencrypted login, this > can be solved simply by using SSL/https It needs another problem solving, which is to educate ordinary users that SSL is about authentication, much more than encryption, as most will not check the address. (If they did this throroughly, they would't touch the majority of e-commerce sites, as the address wouldn't match the business name.) Of course, using SSL in authenticated client mode is likely to be even more secure, but too technical for most.
Received on Tuesday, 30 May 2006 21:49:55 UTC