WebApp Sec mailing list archives
Re: Firefox extensions for fighting phishing
From: "Sean P. DeMerchant" <warnings () envisagement com>
Date: Tue, 19 Jul 2005 02:28:17 -0700
----- Original Message ----- From: "Saqib Ali" <docbook.xml () gmail com>
To: "Mamading Ceesay" <mamading () gmail com> Cc: <webappsec () securityfocus com> Sent: Saturday, July 16, 2005 7:26 PM Subject: Re: Firefox extensions for fighting phishing couple more: Spoofstick http://www.corestreet.com/spoofstick/ Netcraft Toolbar http://toolbar.netcraft.com/ (This one is the BEST)
Outfoxed - http://getoutfoxed.com/ TrustBar - http://trustbar.mozdev.org/
The Netcraft toolbar is is next to useless. The last time I checked it could be fooled by a frameset. So if someone could hack a frameset onto the host server, i.e.,
http://www.somewhere.net/only_fools_would_click_on_this_link/login.html then the frameset in login.html could reframe the entire page to: http://www.steal_your_info.net/sucker.html and Netcraft would tell you you were on www.somewhere.net which is not terribly useful.Albeit, I ran this test 6-8 weeks ago using IE. Nonetheless, until such a toolbar lists all the source websites or shows a warning when any data comes from an external site (adservers included) such tools are virtually useless for stopping phishing (they may stop some, but mostly they will give a false sense of confidence).
I have not tried the others.Please note I do like some of the other services Netcraft provides (i.e., uptime for shared hosting, ...) so I am not just naysaying. But the Netcraft toolbar the last I looked is not terribly useful for stopping phishing completely and it will lie about the source of the content if you are in a frameset.
Take a look at: http://www.abpo.net/rg.htmlAnd note that images are served by abpo.net, yet the HTML with the exception of the frameset is served elsewhere.
In short, I think that far more sophistication is needed in anti-phishing tools before they will truly be valuable. Stopping 80% of problems may be good enough for government work, but anyone worth dealing with will can you for such junk (Microsoft, Sybase, Oracle, IBM, and etcetera would not except such slipshot quality from a database, why accept such junk for you financial transaction ;o).
my $0.02,Sean P. DeMerchant
Current thread:
- Firefox extensions for fighting phishing Mamading Ceesay (Jul 16)
- Re: Firefox extensions for fighting phishing Saqib Ali (Jul 17)
- Message not available
- Re: Firefox extensions for fighting phishing Saqib Ali (Jul 17)
- Message not available
- Re: Firefox extensions for fighting phishing Sean P. DeMerchant (Jul 19)
- Re: Firefox extensions for fighting phishing Saqib Ali (Jul 19)
- Message not available
- Re: Firefox extensions for fighting phishing Saqib Ali (Jul 20)
- Re: Firefox extensions for fighting phishing Saqib Ali (Jul 17)