Browser developers plot against phishers
The meeting in Toronto included security developers for Internet Explorer, Firefox, Opera and Konqueror, according to blog postings by several of the attendees. The meeting focused on combating phishing scams, which use phony Web sites to trick unsuspecting victims into giving up sensitive information.
Attendees talked about different ways of displaying secure and trusted sites in Web browsers and other measures to thwart phishers.
For example, the next version of IE will show the lock icon indicating a secured Web site more prominently: in the address bar instead of the status bar, Microsoft's Rob Franco wrote on the IE blog. Other browsers, including Firefox, already display the lock more visibly.
Also, to battle Web site spoofing the address bar in a Web browser should always be displayed, including in pop-up windows, according to Microsoft's delegation.
"A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE 7 will show the address bar on all internet windows to help users see where they are," Franco wrote.
Additionally, the browser developers agreed on removing support for lower-levels of encryption in their browsers.
While hashing over ways to secure browsing the Web, the developers also called for a new "strongly verified" security certificate for high-profile sites such as online banks.
"Presently all CAs (certificate authorities) are considered equal in the user agent interface, irrespective of their credentials and practices. That is to say, they all simply get a padlock display when their issued certificate is validated," George Staikos, developer on Konqueror, wrote on the KDE blog.
The padlock icon in a Web browser means that traffic with the Web site is encrypted and that a third party, a certification authority, has identified the site. However, there is no standard method for issuing certificates and some phishers have signed their own certificates, resulting in a lock icon when displaying their site in a browser.
"Certification authorities offer certificates with broadly different levels of background checking for the website. Unfortunately, there is no industry standard method for anyone to tell what level of background checking was performed for a given site," Microsoft's Franco wrote.
Representatives for Opera and Firefox in their own blog postings agree that stronger certificates can help address the phishing problem. Web sites with the stronger certification would get a special tag in the browser, telling the user it is safe to conduct business on the site.
IE 7 is expected next year for Windows XP and Windows Server 2003 and will ship as part of Windows Vista, the successor to Windows XP, due out in the second half of 2006.
