如何打击网站欺骗/网络钓鱼?

发布于 2024-07-10 01:00:19 字数 33 浏览 9 评论 0原文

对于网站 UI 欺骗的威胁,您建议的解决方案是什么?

What is your suggested solution for the threat of website UI spoofing?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

故事和酒 2024-07-17 01:00:19

根据定义,任何依赖网站在您登录后向您显示个性化信息的解决方案对于网络钓鱼者都是无效的。 如果您尝试登录,他们已经成功

FWIW,我还不知道真正的答案,也许这个问题会提出一些好主意。 然而,我专业从事网络钓鱼、不良域名注册等方面的研究。

我不相信网站开发人员可以实施任何重要的技术解决方案。 同样,根据定义,如果您的用户到达网络钓鱼站点,您将不再拥有控制权。

这就是为什么当前所有的反网络钓鱼技术都驻留在浏览器中,而不是网络钓鱼站点中。

By definition any solution that relies on the site showing you personalised information once you've logged in is ineffective against phishers. If you've attempted to login, they've already succeeded!

FWIW, I don't yet know the real answer, maybe this question will throw up some good ideas. I am however professionally involved in research into phishing, bad domain registrations, etc.

I don't believe there's any significant technical solution that web site developers can implement. Again, by definition, if your users arrive at a phishing site you're no longer in control.

This is why all current anti-phishing technologies reside in the browser, and not in the phished site.

不知所踪 2024-07-17 01:00:19

此问题的关键是识别对真实站点的请求和对欺骗站点的请求之间的一些差异。

最简单的区别是一些基于 cookie 的 UI 首选项。 在您(真实)网站上设置的 cookie 只会返回到您的网站,而绝不会发送到欺骗网站。

现在有很多原因导致有效的 cookie 可能不会发送到您的网站,用户可能使用不同的计算机,或者他们可能有过期/删除的 cookie,但至少您可以保证它不会发送到恶搞网站。

The key to this problem is identifying some difference between a request to the real site and a request to the spoof site.

The simplest difference is some cookie-based UI preference. A cookie set on your (real) site will only ever be returned to your site, and will never be sent to a spoof site.

Now there are plenty of reasons that the valid cookie might not be sent to your site, the user might be using a different computer or they might have expired/deleted cookies, but at least you can guarantee that it won't be sent to the spoof site.

浸婚纱 2024-07-17 01:00:19

我认为唯一的答案是为更好的人编程。

只有当有问题的用户真正意识到这些事情是错误的时候,诸如自定义外观或上传图像之类的事情才有效。 我认为大多数用户除了经常访问的网站之外永远不会认识这些东西。 即使他们这样做了,他们也可能会将其归因于网站设计的变化,而不是网络钓鱼。

I think the only answer here is to program better people.

Doing things like customizing the appearance or uploading an image only work if the user in questions actually recognizes when these things are wrong. I think the majority of users would never recognize these things except for sites they visit a lot. Even if they did they may attribute it to a change in website design and not a phish.

独享拥抱 2024-07-17 01:00:19

一种解决方案是为每个用户定制网站。 仅当用户对网站的看法基本相同时,欺骗才会起作用(一次欺骗 - 许多受害者)。 因此,例如,如果 eBay 让您配置自定义背景颜色,您应该能够注意到您正在查看的页面是某种欺骗性的(不会知道您选择的颜色)。 真正的解决方案有点复杂(比如可能在浏览器中配置一个秘密关键字,只有浏览器才能在密码控件中或在网址栏中呈现,等等),但想法是相同的。

自定义每个用户的 UI,这样欺骗(依赖于大多数用户期望看到基本相同的 UI)就不再起作用。 它可以是基于浏览器的解决方案,也可以是网站向用户提供的东西(有些网站已经这样做了)。

One solution is to customize the web site per user. Spoofing only works when users have basically the same view of the website (one spoof - many victims). So if, for example, eBay would let you configure a custom background color, you should be able to notice that the page you're viewing is some spoof (that won't know your choice of color). A real solution is a bit more complex (like maybe a secret keyword configured in the browser that only the browser can render within password controls or into the url bar, etc.), but the idea is the same.

Customize the UI per user so spoofing (which relies on most users expecting to see basically the same UI) stops working. It can be a browser based solution, or something web sites offer to their users (some already do).

我的鱼塘能养鲲 2024-07-17 01:00:19

我见过一些网站允许您选择“个人”图标。 每当您登录时,都会显示该图标以证明您正在访问其网站。

I've seen some sites that let you select a "personal" icon. Whenever you log in, that icon is displayed as proof that you are on their site.

奶茶白久 2024-07-17 01:00:19
  • 您可以在用户登录时提问(用户已写下答案的问题)。

  • 您可以在登录后显示用户上传的图片,如果用户看不到他的图片(只有他自己可以看到的私人图片)则说明它不是真正的网站。

  • You can ask a question when the user login (a question that the user has written with the answer).

  • You can display a picture after the loggin that the user have uploaded, if the user doesn't see his picture (private that only him could see) than it's not the real website.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文