Yes, but more smart people that visit a clear phishing website later on understand their mistake and change their password. If you could perform actual actions on a letsencrypt certificate website that perhaps has a slightly different url, you’d most probably would be less sceptic.
A bit loss of context. Angular was mentioned in the context of how servers serve Angular apps: if instead of server index.html server would serve a different whole url.
And my worries are mainly due to the solution I proposed (as a patent(!)) and later on abandoned.
I am wondering whether to invest in this my time and furthermore additional money.
Again, I haven’t yet tested it. But I’d like to hear what community has to say with relevance to that about my direction with the solution I’d been working on.
Thank you for the reference! Would you mind to see if you can reflect on my solution idea which I’m questioning myself about? I filed a patent for it and mentioned it in a comment above. Please
The thing is that I claimed to have a solution and I even filed a patent for it. Some time later I understood I need many iterations to even understand if I’m right or wrong. The direction is OK, but I’m still trying to understand if I’m the right person to solve this problem: I am sending a secret via Email (which is a right direction), then to send and receive data to and from “bank.com” I send it to a Frontend JavaScript code that has access to this secret key (user clicks a link in the Email). The JavaScript resides on a subdomain of my service which is whitelisted via CORS.
If anyone would read this, could you please reflect?
Isn't CSP controlling what you can fetch FROM your website? The proxy in the example I mentioned can act as a simple web browser behind the scenes. Unless I'm missing something.
Not claiming it to be novel or new at all. Just trying to understand. I'll think about CORS. Meanwhile my thought - correct me if I'm wrong, is that CORS would be irrelevant since on behalf of bank.com it is simply controlled by a regular viewer. While the real user is just telling the proxy where to click and what to do.
CORS policy would say "okay end user, you can load everything from me, but also get jquery from <some jquery CDN>. no resources can come from anywhere else".
It's not a bad idea to just put in a CSP (always put in a CSP!), CORS policy, and Same-Origin. This is configured on your app rather than server (usually).
MDN is one of the better resources for this, and links out to other authoritative resources in the additional info section of a directive.
I will create a demo how I hijack my own account using session hijecktion and and a simple laptop and it to you to get convinced in the nature of purity of the provided signmeonly.io service I described above.
