Der IE 7.0 soll einen Phishing-Filter erhalten, der mal wieder leicht orwellsche Ausmasse anzunehmen scheint. Mit aktiviertem Phishing-Schutz schickt IE7 jede aufgerufene URL an einen Microsoft-Server um sie mit einer Blacklist abzugleichen. Tolle Sache, damit kann man superviel tracken, was die Konsumenten so machen.
Natürlich kann man sich auch auf eine „White-List“ eintragen:
If you are a site owner and your website is shown as suspicious or blocked, you too can click on the red or yellow warning in the Security Status Bar and click on the link to send feedback about the mistake. On the feedback page you can fill out the necessary information and request to have your website reevaluated. Once a request has been submitted it is reevaluated by the Phishing Filter team. Based on the reevaluation, the site will either be removed from the list or left as it is.
Also wenn ich ein Phisher wäre, würde ich auf die später zu nutzende Seite erstmal „harmlosen“ Content setzen, eine Mail ans MS-Phishing-Team schreiben, mich auf die Whitelist setzen lassen und dann den Content gegen die Phishing-Seite austauschen.
Auf die Idee kommt auch ein Mozilla-Developer in seinem Blog, der auch noch andere Rückschlüsse zieht:
Server-blacklist-based anti-phishing implementations put you in an arms race, and one in which the phishers hold all the cards. They have 20,000-strong botnets with automatic deployment tools; you have to check every submitted URL by hand. They can invent new ways of obfuscating and redirecting URLs; you are limited by the tools built into your deployed client. They have a large financial incentive; you are giving away a free product.
There’s no magic bullet, but I believe the correct route to take is a combination of greater SSL use (which means we need SSL vhosting), stronger certificate field verification and OCSP, combined with in-browser standalone heuristics and a sprinkling of user education. A minimal amount of the latter is IMO, sadly, unavoidable – it’s very hard to protect people who will put their credit card number into just any web form which asks for it.
Viel Spass mit dem IE 7.0.
ich habe dort im blog mal einen kommentar geschrieben; mal sehen wann er dort erscheint. so oder ähnlich hatten das schon andere geschrieben (21:18 hiesige zeit):
„
sounds good, but might prove goof. imagine my site gets blacklisted (by accident, by concerted influx of fake browser history lists from 20.000+ botnets phishers use, or whatever technique comes up their minds), and this causes me loss of money. imagine my site being a webshop, but without customers since no one can actually access it.
then, in the middle of chaos and lost revenue, I have to fill out a form and have to wait
how long will it take? are there guarenteed response times? is there any compensation if my income loss is severe? what kind of plans are there against mass misuse by botnets?“
mal sehen was da kommmt.