http://blog.lathi.net/articles/2005/07/01/servers-identifying-themselves-anti-phishing en-us 40 On Life, Fatherhood, Christianity, and Computers Part of the problem with passwords is that users can be tricked into giving them to the wrong people. <a href="http://www.tygar.net/papers/Battle_against_phishing.pdf" target="_top">This (pdf)</a> is a proposal to help combat that. <a href="http://www.schneier.com/blog/" target="_top">Bruce Schneier</a>, my favorite security guru, <a href="http://www.schneier.com/blog/archives/2005/07/security_skins.html" target="_top">points</a> out a method developed by Rachna Dhamija and Doug Tygar of UC Berkeley for servers to identify themselves. To be honest, I haven&#8217;t read the paper from Dhamija and Tygar; just Bruce&#8217;s summary. However, it seems like a really cool idea. <p /> Basically, the server generates a unique abstract image to associate itself with each user. When the server asks for authentication, it displays the image. The user can visually determine if the right image is displayed to verify that the web page is authentic. <p /> Of course, what users are supposed to do is examine the <span class="caps">SSL</span> certificate for the site. No one does this. In fact, browsers are making this harder to do. So servers have it in their best interest to make sure that users know they are the legit server. They suffer as much from phishing as the victim user does. <p /> I might try to figure out how to implement this nicely with some of my web sites. Fri, 01 Jul 2005 13:14:00 -0500 urn:uuid:a007b5aa42299d52d7c7a1fc24a68ac4 Doug http://blog.lathi.net/articles/2005/07/01/servers-identifying-themselves-anti-phishing Security