Can crypto help against Phishing, Spoofing and Spamming...

Amir Herzberg herzbea at macs.biu.ac.il
Wed Jul 14 09:57:33 EDT 2004 

John Levine wrote:

>>Reminder: following lots of discussion on this list, I wrote proposals
>>on how crypto can help solve phishing, spoofing and spamming problems.
>>...
>># Protecting (even) Naive Web Users, or: Preventing Spoofing and
>>Establishing Credentials of Web Sites, at
>>http://eprint.iacr.org/2004/155/ (or off http://AmirHerzberg.com)
> This is a pretty good paper.  It outlines the problem and proposes
> that browsers add a "trusted credential area" that displays a site
> logo that has to be signed by a CA using SSL, in a way that is hard to
> spoof or forge.
Thanks! But, our prototype (for Mozilla) allows you also to select the 
Logo (or icon) for the site manually, although having it already signed 
by a trusted authority could be nice. Also: the trusted area can also 
display other credentials of the site, and in particular - logo and/or 
name of the CA.
> 
> I've been discussing a similar idea with a lot of people that has one
> important difference: the seal belongs to the CA and is distributed as
> part of the verification certificate.  Per-site logos have the
> disadvantages that there are a lot of sites, not all with famous
> logos, and there are a lot of CAs, most of whose primary verification
> technique is to be sure your check didn't bounce.
I completely agree that existing CA solution in browser is lousy; did 
you notice that the main requirement to become a CA is to be a CPA 
(certified public accountant) and pay 1400$ to WebTrust? (more in paper)
That's why manual logo approval by the users is an important first step 
(works great - I don't know how I ever used e-banking without it). 
Second step may be for users to share these user-certified logos, and 
finally - for some trustworthy organizations to provide logo certificates.
> 
> In most industries there is a regulator or trade association who
> already knows who the legitimate players are.  That's who should be
> running the CA for that industry, with an industry wide logo that they
> could advertise, something like a golden dollar sign that tells you
> that a site is really a bank.  I spoke briefly to a guy from the FDIC
> at last year's antiphishing meeting who said they'd been thinking of
> something like that.
Agree! We call this a credential, see in paper or just this screen shot 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image006.gif
-- 
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & 
security)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: herzbea.vcf
Type: text/x-vcard
Size: 303 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040714/6e38b17e/attachment.vcf>

More information about the cryptography mailing list