ID "theft" -- so what?

Ian G iang at systemics.com
Sun Aug 14 15:14:54 EDT 2005


Ben Laurie wrote:
> Ian Grigg wrote:
> 
>> Too many words?  OK, here's the short version
>> of why phising occurs:
>>
>> "Browsers implement SSL+PKI and SSL+PKI is
>> secure so we don't need to worry about it."
>>
>> PKI+SSL *is* the root cause of the problem.  It's
>> just not the certificate level but the business and
>> architecture level.  The *people* equation.
> 
> 
> PKI+SSL does not _cause_ the problem, it merely fails to solve it. You 
> may as well blame HTTP - in fact, it would be fairer.

Well, blaming a protocol which is an inanimate
invention of man is always unfair, but so is
avoiding the issues by quibbling on the meanings.

Blaming HTTP is totally unfair as it never ever
promised to protect against spoofs.

PKI+SSL promised to detect and cover spoofs.  In
fact, the original point of PKI was to close out
the MITM or spoof, and was then enlarged somewhat
confusingly to provide some sort of commerce
guarantee on the stated identity (c.f, Lynn's
amusing stories of CAs gone mad with dollarlust.)

Originally, Netscape's browser implemented the
complete anti-spoofing UI and included more info
on the screen.  This was then dropped in the
screen wars, against the advice of security
engineers at Netscape.  (Ref:  comments by Bob
R.)

So, to repeat:    It's not the certificate
level but the business and architecture level.
The *people* equation.  It's the people who
implement the PKI+SSL model and don't do it
properly that are the root cause of phishing.

Petnames, Trustbar, DSS are some of the solutions
that work *positively* and *constructively* to
close the loopholes in the browser's implementation
of PKI+SSL.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list