Oxford blocks Google Docs as a phishing countermeasure
Posted Mar 9, 2013 23:31 UTC (Sat) by jimparis
Parent article: Oxford blocks Google Docs as a phishing countermeasure
Maybe it's time for some better browser anti-phishing support. If
I were to stand over my dad's shoulder, and I saw him typing his Paypal password into Google Docs, I'd tell him to stop. The browser could do that too:
<input type="password" warn-other-domain="paypal.com">
- If a page is served via HTTPS, and has a password field with the
"warn-other-domain" attribute set to the current domain, then, when the page is submitted, HASH(password) is permanently stored in the browser, along with it's associated domain (paypal.com).
- Any time in the future, when a password field is filled out on any website, it is hashed and checked against the list of stored hashes. If it maches, but the stored hash's associated domain does not match the domain of the current website, a warning pops up:
You just entered a password that you've used before on another site, paypal.com. The original site requested that you do not use this
password anywhere else, and that any other sites asking for this password may be a potential "phishing" attack trying to steal your identity.
If you really want to submit this password to docs.google.com,
please enter it again below and select an option.
[Send my password to docs.google.com]
[Send my password to docs.google.com, and don't ask again]
In practice you'd have to put a bit more thought into this, I'm sure.
(consider attacker pages that don't use a password field to read the user's password)
to post comments)