[cap-talk] Phishing with YURLs and Petnames
smagi at naasking.homeip.net
Tue Feb 14 22:41:47 EST 2006
Jed at Webstart wrote:
> At 05:59 PM 2/14/2006, Ka-Ping Yee wrote:
>> There is more we can do -- we can try to work the petname into the
>> user's workflow somehow.
> I agree. However, if you argue as above that even something as
> simple as the little lock won't be acknowledged and will be ignored,
> then it would seem pretty hopeless. I'm not nearly so pessimistic.
> I believe most people can easily master the few skills they need
> to only transfer trust from trust - if they are given effective tools
> to identify trust.
I agree to a certain extent, and this is the critical first step.
I also agree with Ping that there exist users who still will be
fooled/make a poor decision. Unlike driving, there is no license to use
computers and browse the internet; some people really don't yet have the
basic knowledge needed to protect themselves.
Having the right *integrated* tools is most important for such people.
Integrating the browser petname/bookmark database with the e-mail client
such that a link in an e-mail highlights red and the cursor becomes a
big X or stop sign for unrecognized URLs instead of its expected
checkmark (with associated petname) for recognized ones is critical for
these people. I think such a design communicates the situation and also
integrates well with their workflow. Or as the petname paper suggests,
the petname itself can be inserted for every known reference, and
unknown references are highlighted in red and shown in their raw form.
Is something like this what you had in mind Ping?
Even despite this, there will still be users who will be fooled, but
ideally they become fewer, and fewer... :-)
More information about the cap-talk