Re: [cap-talk] Firefox breaks the principle of identifiability
Tyler Close
list at waterken.net
Tue Feb 8 17:16:01 EST 2005
On Feb 8, 2005, at 1:46 PM, John Halleck wrote:
>
> I know of users that have been fooled by 'paypal.somename.cz'
> (I forget what the "somename" really was.)
> And users fall every day for the "one url in the link, different one
> between the A tags) trick.
>
> All the solutions given so far appear to assume the user is paying
> attention and reasonably bright.
> Nice assumption (possibly) for this group, but not in general.
Your argument reminds me a lot of the argument that users always click
the "OK" button on security dialogs, so users must be too ignorant to
handle security decisions. This argument, and yours, both ignore the
fact that the user has not been presented with any viable alternative.
In the case of security dialogs, the choice is "Don't get your work
done, or click OK". Current web browsers don't provide the user with a
viable model for coping with phishing attacks. Take a look at
Microsoft's recommendations for coping with phishing:
http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;833786
Given this use model, user's current behaviour is completely
understandable. If we provide a simple and easy model for coping with
phishing attacks, I think most users will benefit from it. I think the
petname toolbar meets those criteria.
Tyler
---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
More information about the cap-talk
mailing list