[For those who may not know: site spoofing is when someone sets up a site and tries to get you to visit it, thinking it’s another site. So they might set up http://www.paypai.com (note lowercase I) and send you an email inviting you to visit “http://www.paypal.com” and give your login details.]
Site spoofing is a significant issue. It enhances phishing attempts, which is apparently already a hundred-million dollar industry, even according to pessimistic estimates. It’s our users who are being defrauded. And, as spam has shown, where there’s money to be made, the problem doesn’t just go away. It’s mozilla.org’s responsibility to do its best to deserve our reputation for security innovation by helping people to not be taken in. Domain name registrars who process thousands of applications per day at low margins can’t be expected to hold the fort.
However, finding a solution is hard because it involves communicating clearly and unambiguously to a novice user the tiny difference between a lowercase l and a lowercase i, and every other possible pair of confusable letters, without overwhelming them with so much confirmation and checking information that they just ignore all of it. I’m not sure that there’s a textual solution, due to the almost infinite variety of domain names and fonts, and the human tendency to assume something almost the same is in fact the same.
So here’s my idea. You hash the domain name, convert the hash into an RGB colour value, and colour some UI element that colour when you are on the site. This doesn’t provide any first-visit protection, but it does provide a one-glance check as to whether you are on the same www.paypal.com that you were last week. And sites where you have high-value logins tend to be ones you’ve visited before.
I continue to maintain that anti-phishing and anti-spoofing efforts are pointless if the true site doesn’t at least have SSL. So I suggest that, in Firefox, the background colour of the status bar field which shows the domain name would be the correct thing to change:
- It’s semantically associated – the domain name is what’s being hashed
- It’s part of a piece of UI (the status bar) which is always present
- People look there on secure sites to see the name and the lock anyway.
So if users know from repeat visits thatis legitimate, then is easily seen as bogus.
The human eye is very sensitive to colour differences; this should mitigate the fairly unlikely event of a spoof having a similar colour as the original. This scheme also has the significant advantage that it requires no user configuration whatsoever, and only minimal instructions (“Colour not the same? Be suspicious!”).
There are extra foibles like trying to vary intensity so the colourblind don’t get too left out, and limiting the colour range to make sure the text is always readable, but that’s the basic idea. For bonus points, we should use a hash function which tries to ensure that the closer two inputs are, the more different the hashes, and for extra bonus points, all browser vendors should agree on the same hash function and colour range, so www.paypal.com is light green in all browsers.