User: Password:
Subscribe / Log in / New account

Oxford blocks Google Docs as a phishing countermeasure

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 15:12 UTC (Thu) by epa (subscriber, #39769)
In reply to: Oxford blocks Google Docs as a phishing countermeasure by pboddie
Parent article: Oxford blocks Google Docs as a phishing countermeasure

Unfortunately browsers don't give much help for letting the user know what is a valid password prompt and what is not.

I think an animated agent (like the old Office Assistants of MS Office) could help here; whenever a site displays a form the agent could appear in the corner of the window with a face that communicates 'OK' or 'not sure who you're talking to here', and a banner saying what the website is and whether it is verified.

So when going to a plain http: page hosted at the little guy would shake his head, or wag his finger, and point out that (a) anybody can see the password you're entering as it goes across the wire, and (b) this is a page at Google.

(Five years ago this would have generated too many warnings all over the web, but nowadays major sites are increasingly using https.)

Browsers do have a well-intentioned warning that you are submitting form data over an insecure connection, but it's so annoying that everyone turns it off immediately. A notification that (mostly) gets out of your way and lets you continue to enter the data if you want, but communicates security concerns in a more human way, might do a better job of getting users to think before they click.

(Log in to post comments)

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 16:08 UTC (Thu) by pboddie (guest, #50784) [Link]

Well, some of the passwords involved aren't even Web application passwords. So, the phishing mails that purport to come from a university mail service might be concerned with passwords that might only be used in dialogue windows employed by a mail client, not a Webmail service, although the latter might also be used.

An alternative to password usage in order to avoid habitual password use/misuse might involve client certificates for authentication, although that wouldn't make remote access to things like institution-provided Webmail particularly convenient, but it would make password usage so unusual that people might stop and think before typing one into a form.

The other issue I mentioned was that of trusting people who tell you or ask you for stuff. Here, the lack of adoption of proper e-mail signing and encryption is perhaps the biggest drag on any progress being made in keeping e-mail a relatively safe and reliable medium. Indeed, in many managed environments, making signed messages the default and having trusted and untrusted inboxes should be fairly straightforward to implement.

Maybe Oxford University should consider such measures if their e-mail infrastructure is up to it, which these days might have something to do with whether the vendor of that infrastructure supports it or not (and the wider matter of why/why not).

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds