<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08-Feb-17 4:54 PM, Bill Cox wrote:<br>
</div>
<blockquote
cite="mid:CAOLP8p7_+yRezNoKg+8RFgyuq07ztUod5o6zAD9-Wo6dVqqKBA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div>So, maybe if we just used a confidence image for our
corporate logins we'd get better results. For example,
if you worked for Microsoft, then you'd see the special
un-clonable Microsoft login page, with a secret picture,
maybe a secret color scheme, etc. Apparently, this does
help, but the folks I talked to said that a significant
majority of workers who see their corporate login page
every day will _still_ enter their username and password
on the first form that asks for it, even with a domain
name that is quite different than their corporate domain
name.</div>
<div><br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
Yes, I agree with all this. I figure this solution will force the
phishers into the Certificate Authority domain. Force them to up
their game. Right now they don't need any TLS certificate. Also,
while I agree with your stories I hate a good solution being
dismissed because there are idiots out there. In my opinion proper
cryptographers should see the simplicity of this solution. The
responses I've got so far are very helpful because they indicate
people are just not reading my paper.<br>
<br>
They look at the picture and assume its SiteKey, which it is not!<br>
<br>
Thanks<br>
</body>
</html>