Bugtraq mailing list archives
Re: New whitepaper "The Phishing Guide"
From: Brian Dessent <brian () dessent net>
Date: Mon, 27 Sep 2004 05:37:45 -0700
Daniel Veditz wrote:
How does that help in practice? A user fooled by a link to ebay-support.com is just as likely to accept signed mail from foo () ebay-support com.
You can never help the users who can't help themselves. What you can do is help the users who know a little bit about phishing but do not care to learn the methods de jour of URL forgery and other arcane knowledge. In other words you can simply tell them, "if it says it's from @ebay.com and has a valid signature, it's probably legit. Otherwise delete and ignore." Whereas today you have to tell them to hover over links, explain all the ways URLs can be obfuscated, check email headers, and so on. Sure, the phishers will just start signing their messages as well, but at least you have more options at hand to check the authenticity.
mention that the potential profits from phishing could easily finance the purchase of a forged cert if someone at one of the built-in CA's was corruptible. Given the several that are based in 3rd world companies (not to mention recent US corporate scandals) I have no confidence that won't eventually happen.
This is why all software should be shipped with the option to check certificate revocation lists enabled by default. Brian
Current thread:
- New whitepaper "The Phishing Guide" Gunter Ollmann (NGS) (Sep 22)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 27)
- Re: New whitepaper "The Phishing Guide" Greg A. Woods (Sep 27)
- Re: New whitepaper "The Phishing Guide" Crispin Cowan (Sep 28)
- Re: New whitepaper "The Phishing Guide" Seth Arnold (Sep 24)
- Re: New whitepaper "The Phishing Guide" Daniel Veditz (Sep 26)
- Re: New whitepaper "The Phishing Guide" Chip Andrews (Sep 27)
- Re: New whitepaper "The Phishing Guide" Philip Stoev (Sep 29)
- Re: New whitepaper "The Phishing Guide" Juraj Bednar (Sep 28)
- Re: New whitepaper "The Phishing Guide" Brian Dessent (Sep 28)
- Re: New whitepaper "The Phishing Guide" Aleksandar Milivojevic (Sep 23)
- Re[2]: New whitepaper "The Phishing Guide" Karsten Heidrich (Sep 28)
- <Possible follow-ups>
- RE: New whitepaper "The Phishing Guide" Dehner, Benjamin T. (Sep 25)