[15755] in cryptography@c2.net mail archive
Re: Can crypto help against Phishing, Spoofing and Spamming...
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Wed Jul 14 15:50:56 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 14 Jul 2004 15:57:33 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
To: John Levine <johnl@iecc.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <20040713192058.22520.qmail@xuxa.iecc.com>
This is a multi-part message in MIME format.
--------------020000060005070107010509
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
John Levine wrote:
>>Reminder: following lots of discussion on this list, I wrote proposals
>>on how crypto can help solve phishing, spoofing and spamming problems.
>>...
>># Protecting (even) Naive Web Users, or: Preventing Spoofing and
>>Establishing Credentials of Web Sites, at
>>http://eprint.iacr.org/2004/155/ (or off http://AmirHerzberg.com)
> This is a pretty good paper. It outlines the problem and proposes
> that browsers add a "trusted credential area" that displays a site
> logo that has to be signed by a CA using SSL, in a way that is hard to
> spoof or forge.
Thanks! But, our prototype (for Mozilla) allows you also to select the
Logo (or icon) for the site manually, although having it already signed
by a trusted authority could be nice. Also: the trusted area can also
display other credentials of the site, and in particular - logo and/or
name of the CA.
>
> I've been discussing a similar idea with a lot of people that has one
> important difference: the seal belongs to the CA and is distributed as
> part of the verification certificate. Per-site logos have the
> disadvantages that there are a lot of sites, not all with famous
> logos, and there are a lot of CAs, most of whose primary verification
> technique is to be sure your check didn't bounce.
I completely agree that existing CA solution in browser is lousy; did
you notice that the main requirement to become a CA is to be a CPA
(certified public accountant) and pay 1400$ to WebTrust? (more in paper)
That's why manual logo approval by the users is an important first step
(works great - I don't know how I ever used e-banking without it).
Second step may be for users to share these user-certified logos, and
finally - for some trustworthy organizations to provide logo certificates.
>
> In most industries there is a regulator or trade association who
> already knows who the legitimate players are. That's who should be
> running the CA for that industry, with an industry wide logo that they
> could advertise, something like a golden dollar sign that tells you
> that a site is really a bank. I spoke briefly to a guy from the FDIC
> at last year's antiphishing meeting who said they'd been thinking of
> something like that.
Agree! We call this a credential, see in paper or just this screen shot
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image006.gif
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography &
security)
--------------020000060005070107010509
Content-Type: text/x-vcard; charset=utf-8;
name="herzbea.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="herzbea.vcf"
begin:vcard
fn:Amir Herzberg
n:Herzberg;Amir
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:herzbea@cs.biu.ac.il
title:Associate Professor
tel;work:+972-3-531-8863
tel;fax:+972-3-531-8863
x-mozilla-html:FALSE
url:http://AmirHerzberg.com
version:2.1
end:vcard
--------------020000060005070107010509--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
