WebApp Sec mailing list archives
Anti-Phishing, why it doesn't work
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Mon, 24 Jan 2005 11:34:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We all know that the number one reason why Anti-Phishing mechanisms do not work is because of dumb users. But there are other reasons why many mechanisms may fail. IMHO, the computer display is another major culprit. If I can gain access to a person's display (via email software vulnerabilities, specially formed HTML pages, etc), I can pretty much make it look like anything I want to. I can make it look as though a web page is through a secure connection with images and I can also create a false address bar with images. And currently, there is nothing really that you can do about it unless you make all of your users press Ctrl+Alt+Del to access a secure website. But what about next-generation displays? The problem with current displays is that they are all flat, two dimensional, and one component can be mistaken for another. But a 3D monitor could overcome this problem. Operating systems could allocate a "secure depth", a level of a 3D screen where all operations are secured, and it is safe to access secure websites and the like. Sharp already has a monitor out that will do this: http://www.sharpsystems.com/products/lcd_monitors/15-17_inch/ll-151-3d/ If you don't mind paying $1500 for a 15" 3D monitor, this is the choice for you (not to mention the added cost of redeveloping operating system desktops for secure applications). But this is kind of a phun idea to kick around. 3D monitors haven't even begun to see their potential, but maybe we'll see something interesting in the next 5-10 years. - -Joseph Miller -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9SOrmXZROF+EADURAqQ8AJ9xSG2hGnEyVL/PBnQ59B/SscRtDACeIb6X ab6TEmlT7lH8looKBahhDR4= =co/J -----END PGP SIGNATURE-----
Current thread:
- Anti-Phishing, why it doesn't work Joseph Miller (Jan 24)
- Re: Anti-Phishing, why it doesn't work Felix Berger (Jan 24)
- Re: Anti-Phishing, why it doesn't work robert (Jan 24)
- Re: Anti-Phishing, why it doesn't work Jeremiah Grossman (Jan 24)