Hi Heikki, Thanks for trying out the petname tool. I'm glad you personally like the petname tool and would use it. I'll see if I can work out the bugs you listed. The tooltip one is perplexing since that once contained a full tooltip text.
For the larger question of "Is this an approach that Firefox should pursue?", I'd like to make a few observations: 1. We agree the Location tool is too hard to use as an anti-phishing tool, even for advanced users. On 6/14/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > To guard > > against phishing, the user must carefully examine each character in > > the domain name shown in the "Location tool", on each page transition. > > You assume people do that. I bet most just look that it says the name of > their bank somewhere on the page. Then you get layers on top of that: > some look for lock icon somewhere, some look for lock icon in lower > right hand corner, some also look at URL, some also look at URL > carefully, ... 2. We agree the petname tool provides stronger protection against phishing than what Firefox currently provides: On 6/14/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > It provides stronger protection, there I agree. 3. We agree the petname tool can be deployed and used with the web as it exists today. The petname tool does not require any changes to existing web sites, nor does it require the participation of other users. Simply by installing and using the petname tool, a user can protect himself against phishing attacks. This is a huge adantage over other anti-phishing approaches that advocate changes to authentication protocols, changes to web sites and changes to the email infrastructure. 4. We recognize the petname tool does not involve a centralized authority/database, nor communications that could be used to spy on the user. 5. We recognize the petname tool GUI consists of a single text field. The petname tool does not require it own toolbar, and so can be squeezed into an existing chrome area. 6. We recognize the petname tool displays information selected by the user, not the attacker, thus defeating entire classes of phishing attacks, such as homograph attacks. 7. You and I both like using the petname tool. I've given the tool to a number of other people who also like using the tool. This group of people includes non security savvy users. So we know there is at least some group of people who would use the petname tool and benefit from this use. Today, noone is in a position to say how large or small this group will be. More data is needed. I think this is a promising list of observations. I know of no other anti-phishing tool that can match this feature list. I think it is clear we should pursue the petname approach by gathering more user feedback. I think the Mozilla Security Group should take an active role in generating this user feedback. The petname tool is too good to be simply dismissed. If Mozilla is serious about phishing, it must put serious effort into exploring the feasibility of the petname tool. The petname tool is at: http://petname.mozdev.org/ Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
