Author Topic: Using URL question - phishing protection?  (Read 1001003 times)

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Using URL question - phishing protection?
« Reply #15 on: October 07, 2005, 08:32:34 PM »
Quote
Also, I want RegEx because of a special situation here at my job. There's a site I can access with the computer name, and the full domainname. Using mail.google.com as the example domain, that means I can hit it with mail and mail.google.com.
? If you put 'mail.google.com' in the 'When URL Contains' field now, plain 'mail' will *not* be a match... so again, I must be missing something... :unsure:

Quote
Then there's the fact some web apps here use different passwords methods, one of which the dropping ot google.com works, but at times, I want the full mail.google.com to be used in some directories.
So you set up an account for each using the URL you want evaluated...

Ok, I'm tired... it's been a long day (my wife has migraines on occasion and we were up most of the night last night), so I'm gonna go over this thread in the morning and see if I can see what I'm apparently missing... sorry for the confusion...

LkonKbd

  • Guest
Using URL question - phishing protection?
« Reply #16 on: October 08, 2005, 09:50:20 PM »
If a non-programmer, non-geek-i-zoid, non-computer expert, just a simple user that is curious and would like to put in $0.002 worth of ideas.

Why not make it so the 'Use this URL' be made to indicate the site you are wanting to login to and not modifiable, if it gets modified you are NOT loggedin.  Even if the 'Auto-Populate UserName & PassWord' is checked, if they do not fit then you cannot convict er enter.  If there is more added to the end, after the / (slash) then it will not work.  'When the URL contains' field can contain the same or a part of that addy so there is an unknown added there as part of your Modifier, but not that field.  There is another unknown, not having a full URL or Domain in the the "When the URL contains' field.

Or am I not really understanding your point in this?  I am using 'SpoofStick' v1.05 maybe this can be used in PassWordMaker so that if 'SpoofStick' does not match you will not be taken to that website/w a notice dispalyed, 'The site you attempted to access is not valid or not the one you wanted.'

Offline ajw

  • Jr. Member
  • **
  • Posts: 81
Using URL question - phishing protection?
« Reply #17 on: October 09, 2005, 02:40:47 AM »
With the prevalence of phishing schemes now, I think this is an important feature - even more so for the average user than for the experienced folk.  (fwiw, I consider myself pretty experienced, but I almost got caught by a phishing email last year - it was late, I was busy, and I got a report that my credit card had anomalous information posted, and "here's the link to your account" - dammed if I didn't click the link and get ready to enter the password before I caught myself!)

Having PM recognize "this isn't the right site" will create smiles every time it saves someone from a phishing scam.   A Good Thing...


I have to admit, I didn't read the docs much, and I was confused by the two URL fields at first.  (for that matter, I'm not sure if I understand all the  nuances even now; gotta read the docs sometime...  :)


Considering that there's a push to move the more-complex parts of the password configuration away from the more user-friendly parts, how about something along these lines?

The user would see two fields - the first is the actual URL; the one they *should* be at.

They'd also have a "what's important in this URL" field that shows what must match the URL in the browser for this account to be used for this site.

Something like:

Web site URL:  http://www.google.com/anything

Important parts, to recognize this web site:  http://www.google.com/anything

This shows that the entire thing must match for this account to genterate a password at this URL.  If there's anything different (even https instead of http) it won't match and will be rejected; no password will be generated.

The user can adjust what's important (maybe highlight a part and tap a button that says "not important" or "important" ?   Dunno...)

So they could make it:

Web site URL:  http://www.google.com/anything

Important parts, to recognize this web site:  http://www.google.com/anything

This indicates that this account is valid with:
    http://www.google.com/anything
    http://google.com/anything
    http://mail.google.com/anything[/li][/list]but would NOT work with:
      http://www.google.com/anything/andsomething
      http://www.google.com/something
      http://www.google.com.badguy.xyz/anything[/li][/list](the big question is:  is this clear to general users?  I suspect it isn't...  so better is needed)

      There could also be a "allow anything here" indicator:

      Web site URL:  http://www.google.com/anything

      Important parts, to recognize this web site:  https://www.google.com/anything(allow any text)

      The idea here is to show that http:// is ok, https:// is also ok (i.e., the 's' is permitted but not required) and anything can follow the URL and it's ok.

      Hmmm...  even as I type this it seems ugly and confusing to me...   How can it be made flexible to power users (RegEx seems reasonable - but you'll never in a million years get my wife or father-in-law to use 'em) and simple enough for the vast general user?


      Another thought - won't the average user look at PM when it's NOT generating a password and just think "it's not working - it's broken" (meaning PM) - they won't recognize they're not where they think they are?

      Should there be something like a "why isn't this generating the password?" button, so when they're at http://www.mybank.com.ru
      instead of https://www.mybank.com

      they can tap that button and see:
        The top-level domain differs:  ru instead of com
        The second-level domain differs:  com.ru instead of mybank.com
        The entire host name differs:  
      www.mybank.com.ru instead of www.mybank.com
      Protocol differs:  http:// instead of https://
      DANGER!
      YOU ARE NOT AT THE RIGHT WEB SITE!
      POSSIBLE PHISHING SCAM![/li][/list]Just imagine your non-expert friend's reaction when that happens and they realize PasswordMaker just protected them from losing their bank account.  Think they'll tell all their friends how good PM is?   :)

      - Al -

      Offline Romeo

      • Hero Member
      • *****
      • Posts: 561
        • http://www.wprus.com
      Using URL question - phishing protection?
      « Reply #18 on: October 09, 2005, 03:21:28 PM »
      Excellent post AL !  I especially like the part where you say:
      Quote
      Just imagine your non-expert friend's reaction when that happens and they realize PasswordMaker just protected them from losing their bank account. Think they'll tell all their friends how good PM is?
      you also have some good ideas in there.

      One thing no one has talked about yet, is the certificate, the SSL certificate.  Most reputable firms will have one of those.  If they do not, I don't deal with them - tough for them.  I do not know if anyone has ever taken the time to view the certificate, they will have noticed that there is a place for the Issued to entity.  I do not know if PM can read this, but if it could, PM could compare that name to a name, to be sure even the CN, the common name, that was previously set up in PM by the user.  If it doesn't match, WARN the user about it.

      As I was proof reading this, I did remember that something about this had been brought up before, but the request was only asking about remembering the certificate and then comparing it, which is sort of along these lines.

      edit:  I take that back.  On of my bank doesn't use SSL on the ign in page.  So may be this wouldn't be a good idea.
      « Last Edit: October 09, 2005, 03:48:45 PM by Romeo »
      It is impossible to create a fool-proof system, because fools are ingenious.

      Offline ajw

      • Jr. Member
      • **
      • Posts: 81
      Using URL question - phishing protection?
      « Reply #19 on: October 09, 2005, 04:31:48 PM »
      Thanks, Romeo!
      Sometimes my ramblings do have something useful hidden inside...  :)

      I've always wondered about certificates - I usually just click "accept 'em" unless there's something really odd about them.   I suspect most others do to...

      For that matter, why can't a phisher set up a *valid* certificate for their bogus website?  Dunno what it takes, but if it's possible, it'd be a serious false sense of security.

      I think we really just need to breed a better level of human being...  :)


      Hey, is that avatar really you?  It reminds me of Easy Rider.  I've got an '84 Gold Wing.

      - Al -

      Offline Romeo

      • Hero Member
      • *****
      • Posts: 561
        • http://www.wprus.com
      Using URL question - phishing protection?
      « Reply #20 on: October 09, 2005, 04:32:01 PM »
      May be just a litle note could pop up when the user enters the URL for when URL contains syaing The more of the URL you specify here, the less the likelyhood that a phishing scam will work. Then have a help link on this warning on there explaining what is meant by this.  i.e. http://signon.ebay.com will be more secure than ebay.com.
      It is impossible to create a fool-proof system, because fools are ingenious.

      Offline Romeo

      • Hero Member
      • *****
      • Posts: 561
        • http://www.wprus.com
      Using URL question - phishing protection?
      « Reply #21 on: October 09, 2005, 04:40:42 PM »
      Al,
      Quote
      Hey, is that avatar really you? It reminds me of Easy Rider. I've got an '84 Gold Wing.
      No that is not me.  I do, however ride a '99 BMW R1100R.
      It is impossible to create a fool-proof system, because fools are ingenious.

      Offline ajw

      • Jr. Member
      • **
      • Posts: 81
      Using URL question - phishing protection?
      « Reply #22 on: October 09, 2005, 06:05:36 PM »
      Quote
      May be just a litle note could pop up when the user enters the URL for when URL contains syaing The more of the URL you specify here, the less the likelyhood that a phishing scam will work. Then have a help link on this warning on there explaining what is meant by this. i.e. http://signon.ebay.com will be more secure than ebay.com.

      But http://signon.ebay.com/   (with the trailing slash)
      will be even more secure.

      http://signon.ebay.com would match with http://signon.ebay.com.phishing.scam/


      The more I think of this, the more important I think it is for the general user!  (and me, 'cause I'm stupid sometimes...   :)

      I'll bet we could come up with some rules that would indicate the relative security of the URL.  To start with:- Al -
      Only kings, presidents, editors, and people with tapeworms have the right to use the editorial "we."
      - Mark Twain

      Offline tanstaafl

      • God Member
      • ******
      • Posts: 1363
      Using URL question - phishing protection?
      « Reply #23 on: October 09, 2005, 06:46:21 PM »
      Quote
      The more I think of this, the more important I think it is for the general user! (and me, 'cause I'm stupid sometimes...
      Ditto...

      While I agree with the intent of all of these suggestions, I think it is becoming unnecessarily complicated. Also, I think we are al saying the same things, just in different ways.

      To summarize - in my opinion, by default, PM should *automatically* and *invisibly* protect against phishing attempts through the use of isolating the top-level domain - ie, allowing only the preceeding dot and trailing text *after* the slash, per my previous examples. Of course, this behavior should be well-documented, with all of the reasons we are talking about here (for anyone who knows about and understands such things).

      Also, I would be against this behavior being 'optional' - it just doesn;t make sens in my book to allow a 'less-secure' mode.

      The primary issue I see is how this would impact current Settings. A major goal of Erics - and understandably so - is to not introduce anything into PM that will break current passwords unless it is *absolutely* necessary, so this would probably have to have some kind of built-in compatability mode, that would simply keep nagging the user to change any password that is using the less secure URL.

      I think we have provided more than enough specific examples, and Eric will come up with a simple, clean way of implementing this - assuming he sees the value in it.

      LkonKbd

      • Guest
      Using URL question - phishing protection?
      « Reply #24 on: October 09, 2005, 09:12:24 PM »
      Quote
      The more I think of this, the more important I think it is for the general user!  (and me, 'cause I'm stupid sometimes...   :)

      Very strange happenings with this software, will post in a seperate topic after I finish with this.

      "ajw,"

      Excuse me on this one point, you do NOT hold the market on being STUPID.  You have to share that with the remainder of us.  Or we will have to give each of us our own corner, which is not, in reality, possible.

      From my perspective the full URL for login should be in the window 'Use this URL' then if there is anythingy else there it will not get a password that is in your groups.  I am using 'SpoofStick' that will display the actual site I am on and if it is not what I am supposed to be on, even though the correct one is shown in the location window, do not login.  It comes back to you have to be observant and smarter than the phisher.

      "tanstaafl"

      ". . . Eric will come up with a simple, clean way of implementing this . . ." now let Eric do it.  Well he is the final say so on what to do.

      I will not put anymore ideas here so he can work on what we have given him to sort out already.

      CU L8R,

      Offline ajw

      • Jr. Member
      • **
      • Posts: 81
      Using URL question - phishing protection?
      « Reply #25 on: October 09, 2005, 09:44:16 PM »
      Quote
      Excuse me on this one point, you do NOT hold the market on being STUPID. You have to share that with the remainder of us. Or we will have to give each of us our own corner, which is not, in reality, possible.
      Hmm....   each our own corner...   infinite people, infinite corners...  polygons....   triangle -> square -> pentagon -> ...

      With enough corners, it becomes round

      Round...   like  a ring...   One Ring!   :)

      - Al -

      LkonKbd

      • Guest
      Using URL question - phishing protection?
      « Reply #26 on: October 09, 2005, 10:04:51 PM »
      Quote
      Hmm....   each our own corner...   infinite people, infinite corners...  polygons....   triangle -> square -> pentagon -> ...

      With enough corners, it becomes round

      Round...   like  a ring...   One Ring!   :)

      - Al -
      Visious Circle/w teeth!!

      CU L8R,

      Offline Romeo

      • Hero Member
      • *****
      • Posts: 561
        • http://www.wprus.com
      Using URL question - phishing protection?
      « Reply #27 on: October 09, 2005, 10:28:37 PM »
      Al,
      Quote
      But http://signon.ebay.com/ (with the trailing slash)
      will be even more secure.
      of course, do as I mean, not as I write.  I have just changed all my settings to contain a trailing slash, even thought I wrote it w/o the slash.

      tanstaafl,
      Quote
      The primary issue I see is how this would impact current Settings. A major goal of Erics - and understandably so - is to not introduce anything into PM that will break current passwords unless
      When you change the entry in When URL contains, the password is not affected.  Trust me, I just made the changes to all my accounts.

      Earlier, I was actually going to do a post on the difference between When URL contains vs. Use this URL, but I shyed ??? away from that for some reason.
      « Last Edit: October 09, 2005, 10:29:07 PM by Romeo »
      It is impossible to create a fool-proof system, because fools are ingenious.

      Offline tanstaafl

      • God Member
      • ******
      • Posts: 1363
      Using URL question - phishing protection?
      « Reply #28 on: October 10, 2005, 06:40:48 PM »
      Ok, back to the question at hand...

      I'd like to thrash this out some more before I go file a Request... I'd also like to hear some input from Eric - ie, are you interested in this at all?

      The goal is to implement some form of automatic phishing protection for critical Accounts. According to Eric, this already happens when the Defaults are used, so this discussion is only relevant to Custom Accounts.

      What I'm hoping for is to get PM so that it recognizes a true domain from a fake automatically. Currently, one way this could be implemented manually, would be to code PM so that all you'd have to enter in the 'When URL Contains' field is 'domain.com', and PM would evaluate it thusly:

      *[.]domain.com[/]*

      where the preceding '.' (dot) is the only character allowed (but not required) to immediately precede what is entered, and the trailing '/' (slash) is the only character allowed (but not required) to follow the last character entered. The asterisks are, of course, wildcards, so could be any valid URL characters.

      The only problem with doing it this way is it is highly error prone...

      How about having the actual Top-Level Domain automatically *captured* by PM (with visual confirmation?) when the Account is created, but kept *separate* (and uneditable) from the 'When URL Contains' field. Validate it *first* (according to the rule above) - *before* checking for matching text (if the User puts anything in the 'When URL Contains' field). If nothing is entered in the 'When URL Contains' field, then the 'Use This URL' field could be greyed out (or not).

      Thoughts?

      Offline Eric H. Jung

      • grimholtz
      • Administrator
      • *****
      • Posts: 3352
        • http://passwordmaker.org/
      Using URL question - phishing protection?
      « Reply #29 on: October 10, 2005, 06:48:10 PM »
      Quote
      I'd also like to hear some input from Eric - ie, are you interested in this at all?
      Sure.

      Quote
      The only problem with doing it this way is it is highly error prone...
      Why is this error-prone?

      PasswordMaker Forums

      Using URL question - phishing protection?
      « Reply #29 on: October 10, 2005, 06:48:10 PM »