Servers Identifying Themselves (Anti-Phishing)
Posted by Doug Fri, 01 Jul 2005 18:14:00 GMT
Part of the problem with passwords is that users can be tricked into giving them to the wrong people. This (pdf) is a proposal to help combat that. Bruce Schneier, my favorite security guru, points out a method developed by Rachna Dhamija and Doug Tygar of UC Berkeley for servers to identify themselves. To be honest, I haven’t read the paper from Dhamija and Tygar; just Bruce’s summary. However, it seems like a really cool idea. Basically, the server generates a unique abstract image to associate itself with each user. When the server asks for authentication, it displays the image. The user can visually determine if the right image is displayed to verify that the web page is authentic. Of course, what users are supposed to do is examine the SSL certificate for the site. No one does this. In fact, browsers are making this harder to do. So servers have it in their best interest to make sure that users know they are the legit server. They suffer as much from phishing as the victim user does. I might try to figure out how to implement this nicely with some of my web sites.
