There should really be a browser-managed 'tainted' flag on any tab opened from an email that prevents password input. Or if not prevents, at least a scary warning click through like an unsigned certificate creates, which at least shows the true full domain name.

Whenever it read about phishing it seems insane we have a system that requires human judgement for this task. If there isn't a deterministic strategy to detect it, how could the user ever reliably succeed? And if there is such a strategy, it should be done by the mail server, mail client, and browser.

Even an extension doing this might work in a corporate context. That makes me wonder if companies do their own extensions to enhance the browser for their needs. If all your employees are using web browsers for multiple hours per day it might really be worth it.

Any new constraint on password inputs will result in attackers creating a fake password input without any constraint, via CSS / JS.

So we are throwing machine learning at the problem because we can't come up with the heuristics for this ourselves?

Yes?

That's exactly what it's for: finding patterns that are too hard or too complex for humans to find. Enumerating every edge case of "enter a password" is not possible for a human, and whatever edge cases we humans miss _will_ be exploited by someone to compromise someone else.

It's also a matter of volume. How many pages can you evaluate and categorize in an hour versus how many can a ML system do in the same? I once saw a demo where a firewall/virus scanner app could detect malware heuristics dynamically by comparing to a baseline system, and could do so in 10 seconds or less per item. It would take a human more than 10 seconds just to read the report to generate a rule, and humans don't scale nearly well enough.

There are lots of complaints to be had about ML and privacy / fairness / ethics / effectiveness, but this shouldn't be one of them.

Machine learning is being used in spam filters, so why not use it for this problem too?

>There should really be a browser-managed 'tainted' flag on any tab opened from an email that prevents password input

I was going to say that couldn't be done, but then thinking about it - obviously the way OS currently works you can't know if it came from an email but you can know it came from an application that was not the browser (although that of course would require the browser to keep track of where a tab came from, which I assume they already do), but then links opened from web based email client would not have this scare warning click through.

The problem is passwords.

They wew created 60 years ago as an additional layer to on-site physical access, in a world with a compute and network capacity billions of times less than today.

That's a good point, it might be more productive to focus on U2F type solutions since they protect against this attack and others, where this is only a bandaid with a convenience cost.

Do you have an alternative to authentication?

I did, I'd be rich.

The problem is clearly pretty deep. One posibility is that it's inherently inconsistent with a deep, high speed, long range, high bandwidth data regime. We live in a universe where all of us are ventriloquists, or may be ventriloquist dummies.

There's the questions of what identity is, and its distinction from identifiers or assertions of identity. There is the matter of when you do or do not need to assert orverify a specific long-term identity, and when you do. When identifiers require a close 1:1 mapping, and when they don't. Of what the threat models and failure. modes of strong vs. weak authentication schemes are.

And ultimately of why we find ourselves (individually, collectively, playing specific roles, aligned or opposed with convention, the majority, or other interests) desiring either strongly identified or pseudonymous / anonymouus interactions.

Easy or facile mechanisms have fared poorly. Abuses and dysfunctions emerge unexpectedly.

It's complicated.

I like the "tainted" tab idea. Maybe warn the user if the site attempts any non-GET HTTP request. "Are you sure this site is legitimate? It could be a phishing attempt."

This is why an auto-filling password manager is an essential security tool for every internet user. If your password manager doesn't autofill/offer to fill your passwords, the domain isn't legitimate.

Password managers are great for security and super convenient. It continues to shock me how many people surf the web while continuing to type the same password into dozens of sites, and then they wonder why they fall for phishing.

Autofill matching breaks in many ways on the same website, so you have to keep on doing it manually. Ex: Chase has about 5 different ways / pages you can enter your login credentials.

That sounds awful, but all you need to do is add all the legitimate domains to your chase login record, then you are phish-proof.

Obviously autofill itself can break on complex page layouts, and that's fine. The security comes from the password manager doing domain matching and offering to fill the password when you click on its addon menu.

> Chase has about 5 different ways / pages you can enter your login credentials

If they had 5 different ways, that'd be one thing. Lately, I've been seeing different domains. For example the marketing department registers a domain such as AcmeExclusives.com.

That's the breading ground of phishing. If they have 5 login page a sixth won't raise any red flags.

No, this is why FIDO/U2F is essential. Password managers are good but people regularly search and autofill across domains because most companies, especially in industries like finance and HR, have spent years training users to expect random vanity domains and renaming every time someone in marketing wants to mark their territory. People phish TOTP similarly.

In contrast, the FIDO design cannot be used across domains no matter how successfully you fool the human.

Sounds great, but U2F keys are super expensive and U2F is supported nowhere. Password managers are free and work everywhere already.

U2F keys start at $15, so there’s a barrier but it’s hardly “super expensive”, and they’re supported by a fair fraction of major sites (Facebook, Google, Twitter, GitHub, Gitlab, login.gov, etc.).