I’ve been thinking about phishing. Firefox already has some phishing protection, but it seems to me that the best way of protecting people is to make it very clear what domain the content in every window is from. This would have two aspects:
– Make sure that some browser UI is always visible in any window
– Make sure that UI clearly shows all applicable information
The UI in question should probably be the status bar – it already has the SSL lock, and IE in XP SP2 is going for a permanent status bar – presumably for this reason.
So how do we make the bar show all applicable information? Next to the SSL lock, we put the domain name of the server.
This has been proposed before – there’s an extension for Firefox and IE which implements an entire new toolbar with just this info on. The idea here, though, is to leverage the “glance at the lock” that people are trained to do on secure sites, so that they also see the domain and can notice if it’s not where they expect to be.
If we did this, and promoted it widely, we could harvest some really good PR. Especially if banks started recommending us because we are the browser which makes their customers most secure. Hence, I’ve written a patch and filed bug 245406.
Screenshot (with a fairly trivial phishing attempt; they can be more complex):