Re: Dear RIPE: Please don't encourage phishing

[Steven Bellovin <smb () cs columbia edu>]

On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote:

> In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush wrote:
> > more and more these days, i have taken to not clicking the update messages, 
> > but going to the web site manyually to get it.
> >
> > waaaay to much phishing, and it is getting subtle and good.
>
> We know how to sign and encrypt web sites.
>
> We know how to sign and encrypt e-mail.
>
> We even know how to compare keys between the web site and e-mail via a
> variety of mechanisms.
>
> We know how to sign DNS.
>
> Remind me again why we live in this sad word Randy (correcly) described?
>
> There's no reason my mail client shouldn't validate the signed e-mail
> came from the same entity as the signed web site I'd previously logged
> into, and give me a green light that the link actually points to said
> same web site with the same key.  It should be transparent, and secure
> for the user.

The really hard parts are (a) getting the users to pay attention to the
validation state (or, more precisely, the lack thereof on a phishing
email, and (b) get them to do it *correctly*.

Some of the browser password managers have protection against phishing as
a very useful side-effect: if they don't recognize the URL, they won't pony
up the correct login and password.  That's much better than hoping that
someone notices the absence of a little icon that means "this was signed".

The "correctly" part has to do with the PKI mess.


                --Steve Bellovin, https://www.cs.columbia.edu/~smb