[145525] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sat Jul 31 18:02:39 2010
Date: Fri, 30 Jul 2010 15:08:22 -0700
To: cryptography@metzdowd.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <AANLkTikqMwU6Vm6Q=2R727+iX-tLk-Lmnp3G85pK707n@mail.gmail.c
om>
At 07:16 AM 7/28/2010, Ben Laurie wrote:
>SSH does appear to have got away without revocation, though the nature
>of the system is s.t. if I really wanted to revoke I could almost
>always contact the users and tell them in person. This doesn't scale
>very well to SSL-style systems.
Unfortunately, there _are_ ways that it can scale adequately.
Bank of America has ~50 million customers,
so J. Random Spammer sends out 500 million emails saying
"Bank of America is updating our security procedures,
please click on the following link to update your browser."
It's more efficient for BofA to send out the message themselves,
only to actual subscribers, with the actual keys,
helping to train them to accept phishing mail in the process,
but apparently even doing it the hard way scales well enough for some
people to make money.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
