User based solutions are a viable way of dealing with the inconvenience of spam, but manifestly useless for dealing with the dangers of scams, because the nieve and gullible which are the scammers intended audience are the very people that lack the skills to understand how to employ any user based protection. So user based protection could actually help scammers target their desired audience.

Seen this? it offers some interesting insights:
http://www.oreillynet.com/pub/a/network/2004/10/13/phishing.html

Ever tried tapping in to one of these spammers IRC channels to see what sort of things are being talked about?

Regards,
DigbyT

The idea is that the user-based solutions do the work. It's pretty clear that users can't cope with anything but the most basic displays, and the old historical notions of the security model (the padlock and the popup) are as dead as a hooked account.

But, users respond to brand and consistency. Especially the nieve and gullible - that's what TV is all about. There are some fairly simple things that can be done to browsers to show whether one has been there before, and to relate those visits to some persisitent contexts.

Specifically, browsers should list more of the cert information on their chrome, they should list information like past visits counts and times, and also (very important) show which certificate provider is involved. This information needs to be rather prominent, and colourful. Imagine something like Intel Inside, but using Verisign instead.

Whether this gets done or not is an open question. Oddly enough, I just discovered that FireFox has included some changes - an extra padlock (bad) and the name of the website connected to (good).

(Oh, and encrypting everything is not going to do a jot towards or against phishing. But, crypto everything, yes. That includes setting up cert-authorised communications, and those certs can be used to do visit statistics which are meaningful to the user. But not the phisher. It's just a shame that the crypto in browsers is "intended for paying merchants" and not oriented to securing the sessions. That's what we mean by "encrypt everything" ... including forcing the scammer to start identifying himself.)

If the companies that manufacturer browsers where to adopt a standard that envisioned the protection of the users then that standard might grow to include other unsafe applications. Of course this would be the death of MicroNazi and their buddies. So encrypting everything seems like a nice idea but not practical in the everyday usage. Ease of use while remaining safe is like taking a shower in a raincoat. I have taken damage and now try not to use MicroNazi applications.