From: Gregg Reynolds (email@example.com)
Date: Mon Feb 14 2005 - 03:56:28 CST
Antoine Leca wrote:
> On Friday, February 11th, 2005 15:52Z Gregg Reynolds va escriure:
>>Couldn't it be based on system (or browser) locale?
> If my locale is
> how can you guess my script?
Perhaps not; but if you take "locale" a little more informally to mean
"some kind of information about the user's linguistic preferences" it
seems reasonable. It's really a matter of browser design. One option
is that when you install the browser it asks you the right questions so
that it will then know how to do the right things linguistically.
(Adding a note that I inadvertently sent from the wrong email account in
response to a different correspondant:
> I fear that all of these ideas for issuing warnings or marking the
> dubious constructs in some browser status region are only going to
> be of help to the small percentage of people who are savvy enough
> to understand the problem. The vast majority of users disable/click
> through a sea of warnings either through ignorance, a low security
> stance or because some more technical person told them to ignore it.
I'll wager that the vast majority of users in fact has a very high
security stance - they're afraid to do financial transactions on the
web. For those who aren't, the rule is simple and effective: just as
you never give your confidential info over the phone unless you placed
the call, you never give that info over the web unless you typed in the
url. My dear old mum figured that out and I didn't even have to
instruct her; it's just common sense. Problem solved.
The whole issue is way beyond the scope of technology standards. It's
no more a technology problem than telemarketing fraud is a problem with
telephony standards and products.
Personally I'm inclined be against any restrictions at all on urls
beyond those necessary for purely technical, not criminological,
reasons. If I have a hard time typing in a URL (e.g. it uses dingbats
or other oddboall symbols from the Unicode roster), then I won't divulge
any confidential info on that site. Legit operators will be aware of
this, so they won't use such URLs. As the marketplace and the culture
adapt to the use of the web, technology-specific "common wisdom" will
evolve, which parents will teach their kids, just like "don't take candy
from strangers." Urban legends illustrating all the risks of the web
will make the rounds. Etc.
There will always be a small percentage of people who fall for scams, no
matter how much they've been warned or how obvious the fraud. It seems
unbelievable, but some people really do fall for the Nigerian 4-1-9
scams (http://www.secretservice.gov/alert419.shtml) just as some people
who receive cold-call sales pitches from conmen end up parted from their
On the other hand, I guess phishing does seem to be a different category
of fraud, since doesn't rely on victim psychology. Victims of standard
frauds like 4-1-9 are not entirely innocent; they are victims of their
own greed. This is also true of those whole fall for seemingly legit
get-rich-quick telemarketing scams. You cannot protect such people from
themselves. But URL fraud relies purely on deception, not on stoking
the victim's greed. It's more like impersonating a police officer. But
I'm still not entirely convinced it's something tech standards need to
If url fraud begins to become a real problem (as opposed to an
unfortunate but relatively minor social problem), first of all folk
wisdom addressing the problem will spread rapidly, and second of all the
market will address it - browser makers will seek advantage by coming up
with innovative features to deal with it. Worst case scenario: the
politicians and the news media decide there's advantage to be had in
stirring up WebPanic about such fraud, so that they can be seen as
Defenders of the Common Folk, and the next thing you know they start
imposing gov't regulation.
This archive was generated by hypermail 2.1.5 : Mon Feb 14 2005 - 03:56:50 CST