Re: Anti-Phishing with digital watermarking

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2008-09-26 Alcides wrote:
> Recently came across some interesting text while reading about 
> anti-phishing techniques, that can be implemented server-side.
> -----------------<snip>------------------------------------
> If we insert something like obfuscated java-script in the original
> website [which alerts us when run under any URL other than the
> authentic] we can get alerted against these attacks.
> -----------------<snip>------------------------------------

Bad idea for at least three reasons:

- Alerts based on client-side scripting won't work when scripting is
  disabled in the browser, which is the more secure setting to begin
  with. So, to enable this kind of alert, you'd have to lower the
  overall security of the browser.
- With client-side scripting enabled, phishers can most easily use the
  very same technology to rewrite those parts of the included original
  page they don't like. 
- Even with client-side scripting disabled, phishers can still use
  server-side scripting to rewrite those parts of the original page they
  don't like, because they're acting as a man-in-the-middle.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq