I had a look at Gervase's recent suggestion of a general approach
to the phishing problem for Firefox [1]. I definitely like the
philosophy proposed there:
It's my view that users should have to do the minimum work
possible to protect themselves.
[...]
Anything we can do to reduce the amount of work is a good thing.
The work being asked of the user, in this case, is to look at the
lower-right corner of the browser window whenever they enter a
password or other private information. It's nice and simple, but
i'm afraid it may not be easy enough.
I'd like to suggest that noticing the *absence* of something,
especially something you're not used to looking for, may actually
be quite difficult to do consistently. (Since most phishing attacks
don't use SSL, most attacks will yield a blank status bar.)
Looking in the lower-right corner of the window is not part of the
normal workflow for logging in to a website. In the typical workflow,
the user already has in mind the site they're expecting to see before
they get there, and when the site appears, they head straight for the
username and password fields. Part of the reason phishing attacks
are so successful is that the user is focused on the task at hand --
the user is thinking "I'm going to PayPal" rather than "What if this
isn't PayPal?"
So i'd like to propose bringing the notification closer to the
workflow. How about a *non-interrupting* message that appears
next to a text field while the cursor is placed there? I'm thinking
of a transient pop-up, like a tooltip, except it would appear
immediately when the keyboard focus enters the text field, and
disappear automatically when it leaves (a bit like an autocompletion
list). This would resolve two problems at once: (a) the user now
notices the *presence* of a warning, rather than the absence of an
assurance; and (b) the user doesn't have to have the presence of mind
to interrupt his own train of thought and look at the status bar.
In short, less user effort required for safety.
-- ?!ng
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
