nanog mailing list archives
Re: Dear RIPE: Please don't encourage phishing
From: Steven Bellovin <smb () cs columbia edu>
Date: Fri, 10 Feb 2012 15:26:12 -0500
On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote:
In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush wrote:more and more these days, i have taken to not clicking the update messages, but going to the web site manyually to get it. waaaay to much phishing, and it is getting subtle and good.We know how to sign and encrypt web sites. We know how to sign and encrypt e-mail. We even know how to compare keys between the web site and e-mail via a variety of mechanisms. We know how to sign DNS. Remind me again why we live in this sad word Randy (correcly) described? There's no reason my mail client shouldn't validate the signed e-mail came from the same entity as the signed web site I'd previously logged into, and give me a green light that the link actually points to said same web site with the same key. It should be transparent, and secure for the user.
The really hard parts are (a) getting the users to pay attention to the validation state (or, more precisely, the lack thereof on a phishing email, and (b) get them to do it *correctly*. Some of the browser password managers have protection against phishing as a very useful side-effect: if they don't recognize the URL, they won't pony up the correct login and password. That's much better than hoping that someone notices the absence of a little icon that means "this was signed". The "correctly" part has to do with the PKI mess. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Current thread:
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing), (continued)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Ryan Malayter (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) William Herrin (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Leo Bicknell (Feb 10)
- Re: PGP, S/MIME + SSL cross-reference (Was: Dear RIPE: Please don't encourage phishing) Roland Perry (Feb 12)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing -Hammer- (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Rich Kulawiec (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jeff Kell (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Måns Nilsson (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing William Herrin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)