Re: (secure email) Proposal to anti-phishing

[Michael Silk <michaelsilk () gmail com>]

You are talking about a secure email _network_, where only "trusted"
people can send emails to members. (i.e: a private mailing list).

You are suggesting a trusted system like this, right? And your
argument is that non-trusteds (phishers) can't get in and send emails
- fine, it may be true (depending on membership verification process).

How does this list communicate with the outside world? Customers?
Banks? ...? Do they have to become "trusted" too ? On what basis ?
Email address? Certificate? Who manages all this trust? Whats the
change-over timeframe to get the world onto this system as opposed to
the current one ?

I'm still a little confused as to what you are suggesting the solution
(the pratical solution) is here... because setting up such a trusted
network just isn't possible (and has been tried before, hasn't it ?)

If your idea is just about having a way to trust specific peoples'
messages (certificates) then fine, it's a system that would work on a
positive basis (customer: "Yes, this is from my bank, because the
little padlock is there..!") but not on a negative basis (customer:
"Hmm, it says its from my bank, but there is no pad lock... I will
click it anyway ... those banks, always stuffing things up.").

Implemented with my idea[1] from a long time ago, however, it could be neat :)

But I still don't see your problem with Client-side certificates.

-- Michael
[1] http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.html


On Mon, 24 Jan 2005 18:54:46 +1100, Lyal Collins
<lyal.collins () key2it com au> wrote:
> The attraction of secure emails are that 'phishers' have to compromise every
> recipient's mailbox/secure email solution in the world, THEN launch a
> phishing attack against customers of select bank in order to get the rate of
> return they do today.
> This seems a much harder, and less profitable sequence a phisher must go
> through, which has a higher probability of detection and convictability,
> increasing deterrence and decreasing the phishers payback.
>
> Lyal
>
>
> > -----Original Message-----
> > From: Michael Silk [mailto:michaelsilk () gmail com]
> > Sent: Monday, 24 January 2005 6:42 PM
> > To: Lyal Collins
> > Cc: webappsec () securityfocus com
> > Subject: Re: (secure email) Proposal to anti-phishing
> >
> >
> > Thats not really "Phishing" though, is it?
> > (http://en.wikipedia.org/wiki/Phishing) It is on one hand in that they
> > are lured to the site, but they don't provide any information, it is
> > stolen from them by the malware.
> >
> > Sure, it's a problem that must be dealt with but to say that client
> > side certificates are useless due to that is silly because that
> > (compromised system) is a problem _no matter what_ solution is
> > implemented ("secure" emails).
> >
> > -- Michael
> >
> >
> > Lyal said:
> > > > -----Original Message-----
> > > > From: Michael Silk [mailto:michaelsilk () gmail com]
> > > > Sent: Monday, 24 January 2005 3:24 PM
> > > > To: lyal.collins () key2it com au; webappsec () securityfocus com
> > > > Subject: RE: (secure email) Proposal to anti-phishing
> > > >
> > > >
> > > > Lyal said:
> > > > > > The difference is that client-side SSL exists today in an
> > > > industry
> > > > > > standard platform independent manner that could be effectively
> > > > > > deployed. (management is a different issue that I will be a
> > > > > coward and
> > > > > > ignore for now.)
> > > > >
> > > > > It's hard to see how changing the locaiton of a password
> > > > > verification actually makes any difference to accountholder
> > > > > security or phishing.
> > > >
> > > > Is it? Surely it's easy to see. Phishing requries the
> > user to enter
> > > > the password in a website. If they don't need to do this (or only
> > > > enter partial password) because of certificate, then I think it's
> > > > pretty easy to see how that is an advantage.
> > >
> > > Seen the newer generaitons of phishing, where going to the
> > faked bank site
> > > loads up the user's PC with spyware, keyloggers et al?
> > >
> > > Certificates are compromised as soon as any malware enters
> > the machine -
> > > which is useless in this phishing scenario.
> > >
> > >
> > > > > > And then there's the pragmatic fact that people will pay
> > > > Microsoft
> > > > > > protection-racket funds for Microsoft anti-spyware to protect
> > > > > > themselves transparently in the background from the
> > > > crappy software
> > > > > > Microsoft *SOLD* them in the first place...and they will do
> > > > > this long
> > > > > > before they'll use any of the "secure email"
> > > > > > solutions today that require user interaction & thought.
> > > > > >
> > > > > > But I'm all for an global standard secure email solution if
> > > > > you happen
> > > > > > to have one of those handy,
> > > > >
> > > > > Actually, my company does - if anyone wants to buy it.
> > > >
> > > > Global, is it? Who buys it then? How does it work? Care
> > to share more
> > > > details, because there is not much information on your
> > site. Doesn't
> > > > seem any different to what PGP would provide.
> > > >
> > > > It's also rather interesting that you claim it "encrypts"
> > everything,
> > > > but also analyses it for spam, viruses ... now just how does it do
> > > > that :) ?
> > > >
> > > > And what is "content checked". Seems far to "big brother" for
> > > > my liking.