RE: (secure email) Proposal to anti-phishing

["Lyal Collins" <lyal.collins () key2it com au>]

Phishing and fraud are synomymous is this thread, imho.
Anything that addresses one must also address the other.
And malware-based ID theft, enabled by luring victims to a malware site is a
precursor to fraud.

Client side certificates are useless against fraud - imho its pointless to
deploy something against one problem while knowing that there are already
successful attacks against the so-called 'solution'.

Lyal

> -----Original Message-----
> From: Michael Silk [mailto:michaelsilk () gmail com] 
> Sent: Monday, 24 January 2005 6:42 PM
> To: Lyal Collins
> Cc: webappsec () securityfocus com
> Subject: Re: (secure email) Proposal to anti-phishing
>
>
> Thats not really "Phishing" though, is it?
> (http://en.wikipedia.org/wiki/Phishing) It is on one hand in that they
> are lured to the site, but they don't provide any information, it is
> stolen from them by the malware.
>
> Sure, it's a problem that must be dealt with but to say that client
> side certificates are useless due to that is silly because that
> (compromised system) is a problem _no matter what_ solution is
> implemented ("secure" emails).
>
> -- Michael
>
>
> Lyal said:
> > > -----Original Message-----
> > > From: Michael Silk [mailto:michaelsilk () gmail com]
> > > Sent: Monday, 24 January 2005 3:24 PM
> > > To: lyal.collins () key2it com au; webappsec () securityfocus com
> > > Subject: RE: (secure email) Proposal to anti-phishing
> > >
> > >
> > > Lyal said:
> > > > > The difference is that client-side SSL exists today in an
> > > industry
> > > > > standard platform independent manner that could be effectively
> > > > > deployed. (management is a different issue that I will be a
> > > > coward and
> > > > > ignore for now.)
> > > >
> > > > It's hard to see how changing the locaiton of a password
> > > > verification actually makes any difference to accountholder
> > > > security or phishing.
> > >
> > > Is it? Surely it's easy to see. Phishing requries the 
> user to enter
> > > the password in a website. If they don't need to do this (or only
> > > enter partial password) because of certificate, then I think it's
> > > pretty easy to see how that is an advantage.
> >
> > Seen the newer generaitons of phishing, where going to the 
> faked bank site
> > loads up the user's PC with spyware, keyloggers et al?
> >
> > Certificates are compromised as soon as any malware enters 
> the machine -
> > which is useless in this phishing scenario.
> >
> >
> > > > > And then there's the pragmatic fact that people will pay
> > > Microsoft
> > > > > protection-racket funds for Microsoft anti-spyware to protect
> > > > > themselves transparently in the background from the
> > > crappy software
> > > > > Microsoft *SOLD* them in the first place...and they will do
> > > > this long
> > > > > before they'll use any of the "secure email"
> > > > > solutions today that require user interaction & thought.
> > > > >
> > > > > But I'm all for an global standard secure email solution if
> > > > you happen
> > > > > to have one of those handy,
> > > >
> > > > Actually, my company does - if anyone wants to buy it.
> > >
> > > Global, is it? Who buys it then? How does it work? Care 
> to share more
> > > details, because there is not much information on your 
> site. Doesn't
> > > seem any different to what PGP would provide.
> > >
> > > It's also rather interesting that you claim it "encrypts" 
> everything,
> > > but also analyses it for spam, viruses ... now just how does it do
> > > that :) ?
> > >
> > > And what is "content checked". Seems far to "big brother" for
> > > my liking.