[149650] in North American Network Operators' Group
Re: Dear RIPE: Please don't encourage phishing
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri Feb 10 15:27:07 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <20120210173701.GA79917@ussenterprise.ufp.org>
Date: Fri, 10 Feb 2012 15:26:12 -0500
To: Leo Bicknell <bicknell@ufp.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote:
> In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy =
Bush wrote:
>> more and more these days, i have taken to not clicking the update =
messages,=20
>> but going to the web site manyually to get it.
>>=20
>> waaaay to much phishing, and it is getting subtle and good.
>=20
> We know how to sign and encrypt web sites.
>=20
> We know how to sign and encrypt e-mail.
>=20
> We even know how to compare keys between the web site and e-mail via a
> variety of mechanisms.
>=20
> We know how to sign DNS.
>=20
> Remind me again why we live in this sad word Randy (correcly) =
described?
>=20
> There's no reason my mail client shouldn't validate the signed e-mail
> came from the same entity as the signed web site I'd previously logged
> into, and give me a green light that the link actually points to said
> same web site with the same key. It should be transparent, and secure
> for the user.
The really hard parts are (a) getting the users to pay attention to the
validation state (or, more precisely, the lack thereof on a phishing
email, and (b) get them to do it *correctly*.
Some of the browser password managers have protection against phishing =
as
a very useful side-effect: if they don't recognize the URL, they won't =
pony
up the correct login and password. That's much better than hoping that
someone notices the absence of a little icon that means "this was =
signed".
The "correctly" part has to do with the PKI mess.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
