[cap-talk] Phishing with YURLs and Petnames

[Sandro Magi]

Jed at Webstart wrote:
> At 05:59 PM 2/14/2006, Ka-Ping Yee wrote:
> 
>> There is more we can do -- we can try to work the petname into the
>> user's workflow somehow.
> 
> 
> I agree.  However, if you argue as above that even something as
> simple as the little lock won't be acknowledged and will be ignored,
> then it would seem pretty hopeless.  I'm not nearly so pessimistic.
> I believe most people can easily master the few skills they need
> to only transfer trust from trust - if they are given effective tools
> to identify trust.

I agree to a certain extent, and this is the critical first step.

I also agree with Ping that there exist users who still will be 
fooled/make a poor decision. Unlike driving, there is no license to use 
computers and browse the internet; some people really don't yet have the 
basic knowledge needed to protect themselves.

Having the right *integrated* tools is most important for such people. 
Integrating the browser petname/bookmark database with the e-mail client 
such that a link in an e-mail highlights red and the cursor becomes a 
big X or stop sign for unrecognized URLs instead of its expected 
checkmark (with associated petname) for recognized ones is critical for 
these people. I think such a design communicates the situation and also 
integrates well with their workflow. Or as the petname paper suggests, 
the petname itself can be inserted for every known reference, and 
unknown references are highlighted in red and shown in their raw form.

Is something like this what you had in mind Ping?

Even despite this, there will still be users who will be fooled, but 
ideally they become fewer, and fewer... :-)

Sandro