Hacker News new | past | comments | ask | show | jobs | submit login

Almost no aspect of the phishing problem is rooted in HTTPS.



That is precisely why I criticize SSL. One of the primary goals of SSL is to authenticate a site so that Grandma can rest assured she is not being scammed. "Phishing" represents a catastrophically expensive failure to achieve that goal.

Trusted root CAs have "verified" millions of SSL certificates to one degree or another, from simple checks for ___domain control all the way up to brick and mortar audits. The problem is, any one of those millions of certificates can be used to phish customers of building-and-loan.com and steal massive amounts of their money.

A scammer simply sends Grandma an official looking email saying "We have recently received a request to wire money out of your Building and Loan account. Please log in here to confirm or deny this request. This extra level of precaution is for your safety. Sincerely, [insert signature of CEO here]."

Now when Grandma clicks the link, she is taken to an SSL-protected site called "building-and-loan-confirmation.com", which to Grandma's delight and comfort is "verified by Equifax". This misplaced trust costs Grandma $25,700.

I am thinking the very least browser writers can do is give Grandma a simple way to "confirm" a site which she has visited. Once she has confirmed it, and maybe given it a "pet name", her browser will display an especially reassuring theme any time she visits that site again (e.g. green border, friendly picture, familiar name, whatever).

Grandma still needs to know that she should only log in when she sees that reassuring theme. Any time she visits a non-confirmed site, she will only see a plain looking neutral theme. (Note: NOT alarming red, because then she'd be see red constantly as she browses around. Just neutral.)

Note that the suggestion I just made actually has nothing to do with SSL. Keep in mind that a phisher could easily send Grandma an unsecured link in an email -- no HTTPs at all. If Grandma clicks that link, she will only see a neutral theme, and if she remembers her lesson, she will NOT log in because she does not see the reassuring theme.

Of course, you could also say that Grandma should remember this lesson: don't click links in emails. Only visit sites by (1) typing in the name yourself or (2) using a bookmark. But I'm just trying to suggest a way to help Grandma after she has forgotten that primary lesson.

Here's another idea. You know how Firefox remembers passphrases for you, protected by a master security passphrase. That could help here. If Grandma visits the real building-and-loan.com site, her user name and password will be filled out for her automatically. If she visits a phishing site, it won't. That is another "hook" where browser writers might do something to help dear Grandma protect her property from predators. Something along the lines of: "This site is asking you to log in, but you have never logged into this site before. Are you sure you want to do this?"




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: