encyclo - 5:06 pm on Nov 7, 2006 (gmt 0)

Let's face it, anti-phishing as offered by IE7 and FF is mostly snake-oil. The Firefox solution is less damaging in terms of leaking user data with little in the way of reduction in effectiveness, however the situation remains that FF2.0 is still phoning home every half-hour to a Mozilla server, in the process sending the user's IP address and browser version number / OS version string.

I am concerned by Opera's proposed solution. It seems as if they are simply jumping on the bandwagon rather than adding an anti-phishing feature due to any particular demand. Let's face it, Opera users don't tend to include the granny contingent. The suggestion that they would send real-time information in the clear (unencrypted) is not reassuring. It is a reaction to IE7s encrypted connection (where you can't be sure what is being transmitted), but is no better a solution.

The IE7 "whitelist" seems flawed in practice as well, and in any case there is a significant weakness in all the current implementations - the inability to handle the increasing problem of DNS poisoning. MS can decide to whitelist "google.com" or "msn.com" to reduce connections to the anti-phishing servers, but this opens up a hole with false positives if the phisher uses DNS poisoning or spyware-installed hosts file modifications to switch calls to a whitelisted site to the attacker's server.

It isn't a zero-gain issue for end-users - anti-phishing technology can help in limited circumstances to reduce the effectiveness of simple phishing scams. However, the implementations are under-developed, incomplete, badly thought-out and ineffective against anything but the simplest of threats. There's a long way to go before getting to the sort of on-page analysis suggested by IncrediBILL in the above post.