The OP's point is that displayed content can be made to be indistinguishable from visual elements of the browser even for technically sophisticated users in the near future.
This reminds me of login spoofing of yesteryear. How do you know if the login prompt on a shared computer or terminal is really from the OS or is a user-level program trying to steal passwords?
The usual solution was to hit a special attention key--like the "break" key under UNIX or Ctrl/Alt/Del for Windows--that user-level programs could not intercept.
Could we use the same idea here? Holding the "break" key will highlight genuine messages from the browser or the OS.
Long time ago I wrote a small program that would mimic the entry point of a DEC terminal server, slow baud rates screen refresh and all, and with the permission of the computer lab manager I installed it in a few PCs, next to the original dec VT terminals that were actually connected to the server.
It didn't save any passwords or such, just display some random funny non-sense message to the user after s/he inserted login and password and then loop back again to the login prompt with a failed error message.
Even with this obvious message that would warn an alert user for the suspicious terminal, we (my friends and the lab manager) got a few laughs when people coming to the lab and finding all the VT terminals taken would use the PCs to login and tried several (many!) times until giving up, at which point we would tell them the truth. Mind you, these were people comfortable with VT terminals and unix cli and somewhat computer savvy!
Easy solution. Logging in takes two passwords. After you enter your first password (first 8 chars of your 16 char password) you are presented with an image of a Tiger. You now trust the system. (The picture of a tiger was your secret image). You now enter your second password (the remaining 8 chars of your 16 digit password).
Great, you've now effectively reduced your password complexity to a measly 8 characters, while forcing the user to remember a 16-character long password.
If the user selects their 'secret image' from a known pool of images (as would probably be the case if this is at the OS-level), then the attacker just has to select one of those images (preferably a cute one) and then they know that at least some of the users they snag will have that as their security image.
SiteKey is completely susceptible to Man-in-the-middle (unless the user is a scrupulous cookie-manager and refuses to re-authenticate a computer more than once), so adds minimal value over regular SSL.
This reminds me of login spoofing of yesteryear. How do you know if the login prompt on a shared computer or terminal is really from the OS or is a user-level program trying to steal passwords?
The usual solution was to hit a special attention key--like the "break" key under UNIX or Ctrl/Alt/Del for Windows--that user-level programs could not intercept.
Could we use the same idea here? Holding the "break" key will highlight genuine messages from the browser or the OS.