Wednesday, May 24, 2006

HTML recommendation to combat against phishing

As we know, phishing activities are very active in the Internet nowadays. Such vulnerability of phishing is partly because we allow a user's password to be sent in its plain format to the server side; it makes the phishers able to collect username and password by setting up a fraudulent website that looks like a legitimate one and tempt the user to input their secret information. I am suggesting to add a new attribute within the HTML input element to improve what we are currently using (<input type="password">) for password input. The new attribute will be something like (<input type="challenge" param="some random string" value=... >).The browser will render this as a password box significantly different from what the password box we are using to indicate it is secured, and when sending out the data, it uses the value input by the user to encrypt the random string and send it back to the server.

As you can see, the idea here is to avoid sending the password in it's plain format to the server; instead, it is used to encrypt a string. Given a corresponding changes in the server side to generate random string with proper timeout period when user access their login page, and use the same encryption/decryption mechanism to check against the password, phishers can no longer harvest plain password but an encrypted form of it. This new HTML input attribute can guard against phishing activities nowadays to certain extent. How do everyone feel about this addition?

p.s. This scheme may be vulnerable to man-in-middle attack, where once a victim visit the page, the phisher contacts the legitimate site and asks for a random string, and passes on the random string to the victim. Once the phisher collects the salted password from the victim, it forwards to the legitimate site and gain the login control. This can probably be fixed by allowing the random string consist of the client and server IP (or some value derived from these two values), so that the client (browser) is able the tell the random string is sent from the server it is talking to.