Spoofing phishing attacks, SSL and TrustBar

[Amir Herzberg <herzbea () macs biu ac il>]

Ivan Krstic kindly copied me on a note he sent to this group recently,
on the topic `Growing Bad Practice with Login Forms`. Ivan noted that my
recent work with Ahmad Gbara is relevant to it. The ideas are in
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm; Ahmad is
developing an implementation for Mozilla which you can see/try at
http://TrustBar.MozDev.org - but this is not yet an `announcement` for
it since it is still in debugging (although, I use different versions of
it for a couple of months now and find it already very useful). If any
of you want to implement for other browsers (or to improve on Ahmad's
implementation), you are very welcome.

TrustBar is a tiny browser (currently Mozilla) extension to display
clear warning in insecure sites, and display the name of the site, or
preferably a logo or icon selected by the user or certified by an
authority trusted by the user (a CA or a friend or the Trademark
Office...). The warning is fixed in the top of every Mozilla window,
including helper app windows, so it cannot be spoofed by the site. There
is a lot more - see the paper and send us comments...

Most relevant to the discussion you had here (I looked a bit in your
archive) may be some screen shots which show how some of the largest web
sites (Microsoft Passport, Yahoo, Ebay, Amazon, Chase, TD Waterhouse)
prompt users for passwords etc. in unprotected pages (sometimes claiming
they are protected...), see in paper or directly:
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image005.gif