Browser Makers Band Together Against Phishers

Developers speaking for Internet Explorer, Firefox, Opera, and Konqueror recently met in Toronto to discuss how their browsers could better identify trusted and suspicious Web sites.
Such tactics are common; the old-but-still-effective bogus security alert is perhaps the best-known example. These pop-ups resemble dialog boxes -- as if the operating system had cranked them out -- but are in fact browser windows stripped of an address bar.

"A missing address bar creates a chance for a fraudster to forge an address of their own," noted Franco.

"This will prevent sites from mimicking a local application window or make it look like a security dialog box," added Staikos. "By forcing the address and status bar to appear on every window, it will be very clear that this is still in a browser window, and so connected to the network."

Some browsers already include elements of the plan. Firefox and the open-source Konqueror, for example, put the padlock icon in the address bar, while the under-development Internet Explorer 7 uses the green/red combination in its integrated anti-phishing filter.

The browser builders and certificate issuing companies have yet to come up with a new way of creating more rigorously-checked certificates, but Staikos was confident it will happen. "All parties recognize that there are issues with current certificates, and over the past eight months, we've had numerous discussions. The major signing authorities know this is an open issue, and they'll come to some sort of agreement."

No promises were made at the meeting that all four browser makers will adopt the ideas, in part because representatives of the open-source Firefox and Konqueror can only pass on recommendations to their developers.

"That's one of the problems with open source, we don't have someone who pulls all the strings," Staikos said. "All we can do is bring recommendations.

"But I think it's extremely likely, say 99.9 percent, that Konqueror goes this way," he added. "And I think Firefox will, too."

Frank Hecker, one of the two Firefox developers who attended the meeting, backed up Staikos.

"I haven't made any commitments on behalf of the Mozilla project, nor do I have the power to do so," Hecker wrote on his blog. "I can only make suggestions. Final decisions on the user interface for Firefox, Thunderbird, etc., are up to the development teams for those products."

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing