Security Basics mailing list archives
Re: Anti-Phishing with digital watermarking
From: "Razi Shaban" <razishaban () gmail com>
Date: Mon, 29 Sep 2008 19:28:06 +0400
Bad idea for at least three reasons:
I hope the others are more sound.
- Alerts based on client-side scripting won't work when scripting is disabled in the browser, which is the more secure setting to begin with. So, to enable this kind of alert, you'd have to lower the overall security of the browser.
People who have enough tech knowledge to disable scripting are not the target audience of phishing. Those are the people least likely to fall for it. It is rather the people who don't know what a "script" is that are going to be susceptible.
- With client-side scripting enabled, phishers can most easily use the very same technology to rewrite those parts of the included original page they don't like.
I'm not even sure what this means, but this watermarking (for lack of a better term) can be removed. All watermarking can be removed. However, this watermarking is not meant to show up on the user's screen, but rather to make the original author aware of the phishing attempts.
- Even with client-side scripting disabled, phishers can still use server-side scripting to rewrite those parts of the original page they don't like, because they're acting as a man-in-the-middle.
If the phisher is not aware of or cannot find the exact code responsible for the phone-home reaction, they can't remove it. A general response to your ideas on disabling client side scripting is easily refuted by the idea of scale. Phishing does not target one, it targets many. If one user — hell, seventy — have all the protection afforded by modern technology, the phone-home reaction will still take place. Why? Because any phishing worth mentioning is viewed thousands of times, and at least one of the users being targeted will be running IE5 with absolutely no security. The goal of this is, again, to make the original author aware of the phishing, not to prevent it altogether. Cheers, Razi Shaban
Current thread:
- Anti-Phishing with digital watermarking Alcides (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- Re: Anti-Phishing with digital watermarking Ron (Sep 26)
- Re: Anti-Phishing with digital watermarking Umil (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 29)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 29)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Ryan Greenier (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)