Re: Anti-Phishing with digital watermarking

["Razi Shaban" <razishaban () gmail com>]

> Bad idea for at least three reasons:

I hope the others are more sound.

> - Alerts based on client-side scripting won't work when scripting is
>  disabled in the browser, which is the more secure setting to begin
>  with. So, to enable this kind of alert, you'd have to lower the
>  overall security of the browser.

People who have enough tech knowledge to disable scripting are not the
target audience of phishing. Those are the people least likely to fall
for it. It is rather the people who don't know what a "script" is that
are going to be susceptible.

> - With client-side scripting enabled, phishers can most easily use the
>  very same technology to rewrite those parts of the included original
>  page they don't like.

I'm not even sure what this means, but this watermarking (for lack of
a better term) can be removed. All watermarking can be removed.
However, this watermarking is not meant to show up on the user's
screen, but rather to make the original author aware of the phishing
attempts.

> - Even with client-side scripting disabled, phishers can still use
>  server-side scripting to rewrite those parts of the original page they
>  don't like, because they're acting as a man-in-the-middle.

If the phisher is not aware of or cannot find the exact code
responsible for the phone-home reaction, they can't remove it.


A general response to your ideas on disabling client side scripting is
easily refuted by the idea of scale. Phishing does not target one, it
targets many. If one user — hell, seventy — have all the protection
afforded by modern technology, the phone-home reaction will still take
place. Why? Because any phishing worth mentioning is viewed thousands
of times, and at least one of the users being targeted will be running
IE5 with absolutely no security. The goal of this is, again, to make
the original author aware of the phishing, not to prevent it
altogether.


Cheers,
Razi Shaban