From a technical standpoint, I don't think there's much that can be done. This isn't really a technical problem. The best we might be able to do is to add an identity filter to browsers. Basically, an easy way to say "I'm about to talk to *this* entity. Accept only servers who can validate against that entity's credentials, refuse to talk to anything else.". This requires an easy way to obtain a site's SSL certificate, load it into the browser and associate it with a name for the site, and then select a site's name while browsing to begin enforcing the restriction. After that things like URL are irrelevant, if the server can't authenticate against one of the listed certificates for the currently-selected site name the browser simply won't make requests to it. Note that, while I think this is the only technical measure that might help, I don't think it'll really help. Phishers will just send e-mail with their certificate asking users to add it to their browser and associate it with a particular site (perhaps under the guise of a site updating their certificates and "providing this e-mail as a service to our users to avoid any unwanted problems with your browsing experience after our security upgrades"), users will do as they're asked and phishing will continue unabated.

The only other thing that'll help is for users to get a clue and start applying a simple rule: never ever trust a communication someone else initiates. If you got a phone call claiming to be from the power company saying your bill is overdue but if you can give them your bank-account information over the phone they can debit your account and you'll avoid having your power turned off, most people would (or should) know enough to hang up, find the power company's billing number on their last bill or in the phone book, place the call themselves and talk to the billing people to find out if they really were overdue. Same with e-mails: close the e-mail, find the company's URL in your bookmarks or from another independent source (you probably have it bookmarked if you've got a regularly-used login with them), go there *without* using any links anyone else provided and see if there's any hint of what the e-mail said you needed to do. If you really need to verify your identity or something, there'll be a message about it either during log-in or in your account messages area. If you initiate the contact using a URL you already had before the phisher send his message, the phisher can't mislead you into going to his site instead (modulo DNS poisoning or something like that).

Personally though, I think that as long as we've got clueless, credulous lusers who'll believe anything anyone tells them to believe, we'll always have these problems. "Con artist" is right up there with "prostitute" in the running for world's oldest profession, and if they haven't run out of suckers by now I don't think they ever will.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/405/33694#33694