|
Security Basics
mailing list archives
Re: Anti-Phishing with digital watermarking
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Sat, 27 Sep 2008 01:23:46 +0200
On 2008-09-26 Alcides wrote:
Recently came across some interesting text while reading about
anti-phishing techniques, that can be implemented server-side.
-----------------<snip>------------------------------------
If we insert something like obfuscated java-script in the original
website [which alerts us when run under any URL other than the
authentic] we can get alerted against these attacks.
-----------------<snip>------------------------------------
Bad idea for at least three reasons:
- Alerts based on client-side scripting won't work when scripting is
disabled in the browser, which is the more secure setting to begin
with. So, to enable this kind of alert, you'd have to lower the
overall security of the browser.
- With client-side scripting enabled, phishers can most easily use the
very same technology to rewrite those parts of the included original
page they don't like.
- Even with client-side scripting disabled, phishers can still use
server-side scripting to rewrite those parts of the original page they
don't like, because they're acting as a man-in-the-middle.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
 By Date 
By Thread
Current thread:
- Re: Anti-Phishing with digital watermarking, (continued)
Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 29)
|
Intro
