Jeffrey Altman wrote:
Solving the phishing problem requires changes on many levels: (1) Some form of secure chrome for browsers must be deployed where the security either comes from a "trusted desktop" or by per-user customizations that significantly decrease the chances that the attacker can fake the web site experience. (Prevent the attacker from replicating the browser frame, toolbars, lock icons, certificate dialogs, etc.) (2) Reducing the number of accounts and passwords (or other identifiers) that end users need to remember. With a separate identifier for each and every web site it is no surprise that my extended family can never remember what was used at each site. Therefore, it is not much of a surprise when a site says that the authentication failed. (3) Secure mechanisms must be developed for handling enrollment and password changing.
What we really need is something similar to the built-in "remember my password" functionality of current web browsers: the browser keeps track of a login/password/certified (ie TLS certificate-backed) DNS name tuple, and if it ever spots the user entering said login/password into a different website, brings up some form of dialog alerting the user to a potential phishing attack. The downside, of course, is that: a) It wouldn't handle password changing, b) Some people use the same login and password *everywhere*, c) Once you change browsers or computers, all bets are off (because the new browser doesn't know anything about which passwords you use where). J. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]