Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The solution is to go only to the right site.

i.e. blame the victim. This generalizes to: the solution to user error is for the user not to make errors.

So no, that is not the solution.



Well, name one error that persists despite not making the error, and you can definitely say I'm wrong. But that wasn't the point. The solution is to go to the right site. You were supposed to use your imagination to come up with ways that might be caused to happen. The article and commenters here suggested password managers that discriminate between the right site and the wrong site, that's an example. "OH SURE BLAME THE VICTIM FOR NOT INSTALLING A PASSWORD MANAGER!" If you're looking for a solution that doesn't whatsoever require the participation of the user, you may meet with some degree of disappointment.

There may be viable solutions that include still going to the wrong site, but I know for a fact that going to the wrong site does not happen if you go to the right site. It's a tautology just like your disingenuous Twitter-style reductionist accusatory re-interpretation of my comment suggests. Speaking of which, if you want to blame the victim, go right ahead (that was your idea), but I don't think the computer cares who gets blamed, unless and until it affects what gets typed in or clicked.


Actually better education and training is often the only real solution. It isn't "victim blaming" if the situation is at least theoretically within the victim's control. If some random "plumber" that I didn't call for shows up at my house, asking to be let in to replace some of my pipes, and I say "okay", then he robs me, is it victim blaming to say perhaps I should have been more suspicious of strange plumbers randomly showing up at my house to do work?


> education and training is often the only real solution

No. That is never the real solution. At best it is a necessary evil, but generally resorting to this is a reflection of a failure of imagination.

The reverse authentication problem in particular is easily solved by the right UI design plus some improved infrastructure behind the scenes. Certificate pinning, for example, would help a lot. The hard part is not coming up with a solution, or even implementing it, but convincing everyone to adopt the solution because it doesn't help unless it is widely deployed.


If the easy part is the implementation and the hard part is convincing people of its value then I can say one or more of the following are true:

- Your solution is not sufficiently great as to be self-evidently great.

- People (i.e. the victim) must be faulted (i.e. blamed) for their inability to be convinced of its inherent majesty.

- Given convincing's similarity and overlap both with educating and with training, you are having a failure of imagination. (Source: Your comment.)


The problem is that the people who need to be convinced are not the people who are being harmed by phishing. The people who are being harmed by phishing (non-technically-savvy end-users) are powerless. The people who need to be convinced of the merits of the solution are browser vendors and web site operators. Both groups would need to work together to solve the problem. Getting that to happen is the hard part. It's a very real problem, but it's a political problem, not a technical one.


Explain how any solution prevents the user from opting out of yubikey and typing self-XSS into Dev console to get owned.

Unless you have a 100% vendor controlled system, (more than Apple + ChromeOS combine) you have to rely on the user not breaking their own security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: