mailing list archives
From: "Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>
Date: Thu, 13 May 2004 10:55:05 +0100
This is the most workable of all ideas I think, it would certainly draw peoples attention to the fact that the
submission was a little bit iffy. Whether this would then prompt them not to continue or indeed whether the message
could be clearer in its explantation of what is going on is less likely.
It may also be that as authentication on a URL is possibly an advanced feature, it could be off by default, and
explicitly turned on by the user who understands what the resultant addresses look like and would therefore be better
educated to spot things like this.
Protecting the user with default config is possibly the way to go with this. However, as without Outlook, I'd
occasionally like override this. For example, to open the Word doc that my colleague has sent from across the room and
not be told it can't ever be done.
From: Rogan Dawes [mailto:discard () dawes za net]
Sent: Thu 13/05/2004 07:42
To: Griffiths, Ian
Cc: webappsec () securityfocus com
Subject: Re: Phishing
"You have clicked a link to 'nefarious.fraud.net', with username
'secure.bank.com' and password '********'. Do you want to continue? Ask
me next time (x)"
I guess this could be a password dialogue, with the username and
password filled in, similar to the current basic auth password dialogs.