Anti-Phishing Wishing

I’ve been thinking about phishing. Firefox already has some phishing protection, but it seems to me that the best way of protecting people is to make it very clear what domain the content in every window is from. This would have two aspects:

– Make sure that some browser UI is always visible in any window
– Make sure that UI clearly shows all applicable information

The UI in question should probably be the status bar – it already has the SSL lock, and IE in XP SP2 is going for a permanent status bar – presumably for this reason.

So how do we make the bar show all applicable information? Next to the SSL lock, we put the domain name of the server.

This has been proposed before – there’s an extension for Firefox and IE which implements an entire new toolbar with just this info on. The idea here, though, is to leverage the “glance at the lock” that people are trained to do on secure sites, so that they also see the domain and can notice if it’s not where they expect to be.

If we did this, and promoted it widely, we could harvest some really good PR. Especially if banks started recommending us because we are the browser which makes their customers most secure. Hence, I’ve written a patch and filed bug 245406.

Screenshot (with a fairly trivial phishing attempt; they can be more complex):
anti-phishing.png

10 thoughts on “Anti-Phishing Wishing

  1. “Display domain in status bar for secure sites”

    From my own experience most of phishing sites are not secure sites without SSL.

  2. Why not painting differents parts of the url in the addressbar, with red in the user/password part?

  3. oleg: if the site’s not secure, people shouldn’t be typing any details into it anyway. That’s what “compulsory status bar” and “look for the lock” are all about.

    tulio: because it’s possible to open windows without an address bar. We need some UI to be compulsory. We could choose the address bar instead – but it’s bigger, it doesn’t have the lock on it, and it’s a different choice to IE, all of which are disincentives to choose that.

  4. I think Oleg’s point is a valid one. All the phishing stuff I’ve seen recently (and I just went back to look at a selection of recent attempts) don’t use SSL.

    Looking at recent samples, they either:
    – redirect to the real secure site and pop-up an additional “chromeless” window, so the user looks at the status bar for the window with the real site
    – hide the status bar and display a bitmap that looks like an IE status bar with a lock
    – make the window larger than the screen so as to push the status bar off the screen, and display a bitmap that looks like an IE status bar with a lock.

    The first of these was defeated by Firefox’s pop-up blocker. The second is defeated by turning off the “allow script to hide status bar” option (not to mention the fact that if people know where the Firefox lock appears and what it looks like, an imitation IE bar won’t fool them anyway). The third won’t actually be fixed by your proposal as is.

    I guess my point is that your suggestion seems like more than is necessary. Simply switching the default for the hide status bar option would do the job.

    And if you’re going ahead, your patch doesn’t deal with the technique of moving the status bar off screen rather than actually turning it off. I’m also not sure what would happen with very long hostnames – if the hostname needs to be truncated to be displayed, that must happen from the beginning, not the end.

    Banks recommending us would be nice, but we haven’t yet convinced some banks that they shouldn’t block non-IE browsers for being insecure!

  5. michael:

    – Entirely chromeless windows would be disallowed – the status bar would become compulsory.
    – This also defeats the IE (or even Firefox) status bar bitmap
    – This third one is not possible anyway – you can’t open offscreen windows.

    Gerv

  6. I like this idea (and it should be for SSL only). I think 3 more things would help:

    – Show the registered domain name only. Don’t show the privately created subdomains. e.g. ‘evil.com’ not ‘www.evil.com’ (would help with space, but I don’t know if it’s possible).

    – Make it noticeable, so as to make a strong impression that people will remember to look for. I know I often completely miss the tiny gold lock . . . For example, make it have a black (or dark gold) background with bold white text. That would give a strong, familiar symbol that would be checked almost unconsciously.

    – (General idea) Allow the user to enter in a list of their banking & other trusted sites. Then, whenever they visit a site from their trusted list, all the browser chrome turns gold (or some colour they choose). I think this would work very well for the tech-illiterate but security conscious (if they are informed about it).

  7. Cool – if the third one isn’t possible either, then they’re all defeated by just disallowing the hiding of the status bar, which goes to my point that displaying the host name is not really needed.

    I’ve just received another two phishing emails for UK bank sites, both were just popups and redirecting to the bank’s (insecure) home page.blocking.

    I think the hardest task it to actually get people to look for the status bar and the lock. The current phishes mostly don’t do anything tricky – they just rely on people not bothering to check which window they’re in, let alone looking for any locks…

  8. michaell: but it’s only a matter of time before they do start using SSL (if they aren’t already; I’d heard some are) and then looking for the lock won’t be any protection.

    The only way to defeat phishing long term is to make it always clear what site you are on.

    Gerv

  9. Souriez, vous êtes phishés !

    Je viens de recevoir un mail de phishing, qui se fait passer pour CitiBank, (avec le logo et tout) et m’envoie sur une adresse IP (port 34). Il semble bien que je ne soit pas le seul dans ce cas, si j’en crois l’Anti-phishing Working Group, qui vient d…