When Help Doesn’t
A thread on broadbandreports.com alerted me to a Microsoft Knowledge Base article that describes how users can identify spoofed web sites. I do not doubt that Microsoft means well here, but the chances of this article actually helping some of the most vulnerable users are slim to nil.
Think of a less technically savvy web surfer you know - a relative, a colleague, or perhaps a former music professor who once giggled that her computer’s infection with worms and Trojans sounded racy. Now imagine this person being told to “verify the name of the server” before submitting personal information and warned not to “click any hyperlinks that you do not trust”. How useful would (s)he find these instructions?
Moreover, how exactly does one identify an untrusted link or verify a server’s name? The article’s authors place that burden directly on users, requiring them to carry out a sequence of potentially confusing and error-prone steps that involve copying/pasting, scanning for “suspicious” characters, manually typing link URLs into the browser address bar, and running lines of JavaScript code.
SpoofStick was born out of the idea that this is an irresponsible way to approach the problem. Although complete protection from spoofing attacks will probably always require some human participation, I believe we should strive to move more and more responsibility out of users’ hands and into the software.
Doesn’t Mom deserve to have a safe browsing experience without all the hoop-jumping, tedium, and paranoia?
