Phishing exploits the ordinary Internet userís inability to be sure that a web site which they have been induced to visit is actually operated by the company or organization whose name appears on screen.
Yet the technology and infrastructure to verify precisely this not only exists but is deployed and used daily by every popular browser. Digital certificates can provide browsers with a reliable source of information about site owners which users can access via the padlock icon, although the information is not as useful as it might be and the padlock display is unintelligible.
Current anti-phishing solutions make use of established pattern recognition and blacklisting approaches but are not expected to be fully effective on their own and are widely seen as being components of an integrated solution.
Digital certificates, on the other hand, are designed to provide an effective whitelist of assured identities. There is also a clear synergy between the roles of certification authorities and traditional trusted third parties such as banks, auditors and online business information providers which means that existing certification services can readily be leveraged to provide the consumer with evidence of legitimacy and good standing in addition to mere identity.
This paper explores the reasons why this approach has never been seriously explored and proposes that a user friendly version of the padlock, providing trustworthy and helpful information about web site owners in plain language, would be a practical tool with which consumers could protect their own interests.
Empowering the consumer in this way would not eliminate the dangers of phishing but it would certainly change the nature of the risks and responsibilities.
Many organizations and agencies would have an interest in promoting such a solution.
This document is in PDF format. To view it click here.