Friday, June 27, 2008

New anti-phishing browser plug-in

As a break from the "all Heller all the time" coverage yesterday, there's an interesting new browser plug-in from Stanford University that's designed to help block phishing attacks. It's free.

The good: The red/yellow/green notification is probably the right user interface. Not all phishing attacks are easy to identify ("Good day. My name is Jabbo Mbuto, financial secretary to His Excellency ...") - anything that wants to be effective will have to satisfy the "Mom Test" of security (can your mom use it effectively?).

More good: Some of what they do is pretty clever - for example, comparing the domain name that you're currently visiting to domains in your browser history list. So if you were trying to go to (note the "i" replacing the "l"), it would flag this as way, way too similar to somewhere you've been recently. This likely can prevent some attacks on your paypal, or bank accounts.

The possibly-not-so-good: Not as sure about checking URL sanity (e.g. attacks like, because there are lots (I mean lots) of ways to encode parts of a URL to make them look harmless (e.g. UTF-8). The image comparison is another neat idea that might be pretty easy for the Bad Guys to get around. I have to confess that I haven't played with this, to see if you can break it. May work just fine.

The definately-not-so-good: When it tells you something, it drops into powergeek-speak (security version). Not impossible to figure out, but the smart money isn't betting that mom will handle this as gracefully as the red light/green light paradigm. Here's an example:

The Bad: It's only available for Internet Explorer (version 6). It's a whole 'nother story why some of us use Firefox (read: avoid IE like the plague), but I'm not super keen on going back to IE - you need a lot of patches to keep Internet Explorer's muzzle clean, if you catch my drift.

So, do you want this? If you use IE as your browser, and if you're moderately careful when you browse teh Intarwebs, and if you've got a decently high computer geek level, it's probably worth trying.

Firefox users, check out noscript. I'm more concerned with evil Javascript (or worse, AJAX). If you're really paranoid (good for you!) check out Opera.

Lastly, what's the most important thing to increase your browser security? Remember that every site you visit is somewhere else, that the content comes from someone else, and "open your mouth and close your eyes" sometimes gives sub-optimal results.

No comments: