Security Basics mailing list archives
Re: Anti-Phishing with digital watermarking
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Sat, 27 Sep 2008 01:23:46 +0200
On 2008-09-26 Alcides wrote:
Recently came across some interesting text while reading about anti-phishing techniques, that can be implemented server-side. -----------------<snip>------------------------------------ If we insert something like obfuscated java-script in the original website [which alerts us when run under any URL other than the authentic] we can get alerted against these attacks. -----------------<snip>------------------------------------
Bad idea for at least three reasons: - Alerts based on client-side scripting won't work when scripting is disabled in the browser, which is the more secure setting to begin with. So, to enable this kind of alert, you'd have to lower the overall security of the browser. - With client-side scripting enabled, phishers can most easily use the very same technology to rewrite those parts of the included original page they don't like. - Even with client-side scripting disabled, phishers can still use server-side scripting to rewrite those parts of the original page they don't like, because they're acting as a man-in-the-middle. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Anti-Phishing with digital watermarking Alcides (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- Re: Anti-Phishing with digital watermarking Ron (Sep 26)
- Re: Anti-Phishing with digital watermarking Umil (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 29)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 29)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Ryan Greenier (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)