Got some informaiton about web-phishing for a long time, but no further thought has been paid by myself.
Firefox and IE7.0 and all the anti-virus vendors has offered some solution to defend web-phishing.
Firstly, I should say something about what is web-phishing in my opinion. Of course, I didnot spend a lot of time to investigate it, hereby what I want to say are just my understanding base my current kownledge.
Typically, web-phisher always pretend to be some official website, they use such kind of method to tempt unconscious people. They create a precisely similar web pages for user to input their identities and password. Thus they can use these identities to get profit.
The principle of such kind of attack is very simple, they just dig some elaborated trap, and then actively or passively wait end-user fall down.
Solution for this kind of attack:
1. Create the trust root of all the web site, now we see, PKI organization, Anti-phishing vendor.
2. Define some footprints or rules to prove what is a real website, such as, get a digital certificate from PKI Certificate Authorities, or define a precise URL(secure DNS needed), or other special algrithm to prove yourself.
3. End-user select a vendor to help them check these provement.
Surely, the solution for web-phishing should be finished by a colloection of organization and verdors.
We are back to the trust infrastructure.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment