Known Anti-Spoofing Techniques
- Limitations to scripting capabilities, particular related to browser chrome manipulation
- Personalization of chrome with a visual that is sufficiently random/personal. What happens to portability?
- Interactive ceremonies that help establish a trusted path between user and browser, e.g. Secure attention sequence (SAS). For security sensitive functions, provide a SAS. Browser should make this possible.
- Some kind of security monitor that monitors the security of the connection. A separate channel that can't be spoofed.
- Not having DTHML in certain modes.
- Author using TLS when requesting user credentials.
- Displaying a token on the website that authenticates the content provider to the user. Make it a layered approach, initially show the token on the website based on a cookie, and once the content provider is authenticated, then ask for user authentication.
- Consistent way to display Reputation Service data
- Reserved screen real estate.
- Certain screen rendering can only be done by browser and not by web content, e.g. transparency.
- Using alternative devices for authentication/transaction confirmation, out of band authentication.
- Password Key TLS (aka SRP TLS). Does it belong to this list?