Hacker News new | past | comments | ask | show | jobs | submit login

You can call `document.location=http://badsite.com; e.preventDefault();` in a click (mousedown, mouseup, mouseclick) handler, too. You aren't going to ever prevent this kind of thing from being possible without killing the modern web as we know it.

Instead of making a big deal out of it (phishing 2.0? really?), why not focus on phishing detection and prevention instead? I do it by using LastPass with randomly generated passwords that I don't actually know. I have to go to LastPass for my login information, and it provides information filtered by the domain I'm on. If I'm on badsite.com rather than paypal.com, LastPass won't offer my PayPal information to fill. Problem solved.




Okay, Phishing 2.0 may have gone a bit too far. I hold my hand up there. As for LastPass, I use that and it's great -- but this poses a problem for those who don't use LastPass, etc. or those who use mobile.


LastPass works just fine on my Android phone. :)

Phishing is an everpresent problem, and does require vigilance from both browser vendors and users, but I really don't think that this contributes to the problem in any significant way, simply because there are completely legitimate browser features that can be used to exactly the same effect, and for which the differences between "benign" and "hostile" use is entirely subjective and undetectable by software. Fixing this would have exactly no impact on the bad guys' ability to conduct a blind redirection.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: