Another thing that I was just saying that the browser should be able (some of them already are) to discern this kind of site. On the other hand, if a suspicious e-mail comes asking to urgently visit a site, I always go to View source in Entourage and see what this is about. The info Entourage gets without opening the message is very illuminating, up to a different sender's address than the one showing in the message. I wish all e-mail programs were like this.
Unfortunately, the browser warning isn't reliable. It works by comparing the URL of the site you are at to a list of known fake URLs maintained by Google. If the URL you are at is on the list of known fakes, you see the warning.
There are two weaknesses in that approach. First, the phishers are creating thousands of new phish sites every day, so the list can never keep up. I have seen phish sites that are online for a week or more and still have not yet made it onto the list.
Second, phishers often put fake sites up by hacking real, legitimate Web sites and then uploading the phish page. If the URLs do finally get reported to Google and make it onto the list, the Web site owner might remove the phish page and fix the security hole that let him get hacked--but his site, which has now been fixed, is still listed as a fraudulent site, because URLs aren't always removed promptly from the list when the phish is taken down.
usually insisting they see a padalock, while possibly less foolproof, tends to be more secure. The phishers don't normally register an ssl certificate for their domain (so they can https) since it will get blacklisted within 8 hours or so and those things are pricey.
I've seen more than one phishing site that had a gold padlock as their tiny url icon, or a bar across the top meant to look like the URL bar with a padlock in it, so obviously they recognize this weakness.
Yep, that's actually a poblem with the way the brain works too.
You tell people "Look for a padlock" so they look for a padlock. If they see a padlock anywhere on the page they say "I know this is a real site, because I was instructed to look for a padlock and there it is." To someone who does not understand a great deal about Web browsers, it makes no difference whatsoever how many times you say "look for a padlock outside the page" or "look for a padlock in the browser's address bar". To an unsophisticated user "outside the page" makes no sense because they think of the entire window, including all the gadgets and the close icon and everything, as "the page" (think of the number of folks who think that Internet Explorer is "the Internet!") and they are not quite sure what an "address bar" is so they hear "look for a padlock mumble something something."
It's amazing. I've sat with clients, told them "look for a padlock in the address bar," then watched them surf to a site and they'll point ot a picture of a padlock inside the page and say "See, there it is! This page must be safe." These are not stupid people, either.
I think that the security industry thinks about this the wrong way. I think that placing a picture or an icon to show that a page is secure is the wrong thing to do. If it were up to me, I would do it the other way around: on every page that was NOT secure, I would have the browser display a message reading "This page is not secure, and the identity of this page can not be trusted" in red letters underneath the address bar, and make those words go away when you access a secure site.
