RE: Phishing

["Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>]

This is the most workable of all ideas I think, it would certainly draw peoples attention to the fact that the 
submission was a little bit iffy. Whether this would then prompt them not to continue or indeed whether the message 
could be clearer in its explantation of what is going on is less likely.
 
It may also be that as authentication on a URL is possibly an advanced feature, it could be off by default, and 
explicitly turned on by the user who understands what the resultant addresses look like and would therefore be better 
educated to spot things like this.
 
Protecting the user with default config is possibly the way to go with this.  However, as without Outlook, I'd 
occasionally like override this.  For example, to open the Word doc that my colleague has sent from across the room and 
not be told it can't ever be done.
 
Ian

        -----Original Message----- 
        From: Rogan Dawes [mailto:discard () dawes za net] 
        Sent: Thu 13/05/2004 07:42 
        To: Griffiths, Ian 
        Cc: webappsec () securityfocus com 
        Subject: Re: Phishing
        
        "You have clicked a link to 'nefarious.fraud.net', with username
        'secure.bank.com' and password '********'. Do you want to continue? Ask
        me next time (x)"
        
        I guess this could be a password dialogue, with the username and
        password filled in, similar to the current basic auth password dialogs.