Can you help develop crypto anti-spoofing/phishing tool ?

Ian G iang at systemics.com
Thu Feb 3 10:38:42 EST 2005 

Michael H. Warfield wrote

>>What Amir and Ahmad are looking at is
>>showing the CA as part of the trust equation
>>when the user hits a site.  Some CAs will
>>enter the user's consciousness via normal
>>branding methods, and new ones will
>>trigger care & caution.  Which is what
>>we want - if something strange pops up,
>>the user should take more care.
>>    
>>
>
>	How do you make it "strange enough" for them to give a flip when a
>modal dialog box won't even do it?
>  
>

I'd suggest you have a quick browse through
their paper, skip the words and look for the
graphics.  It will show it faster than these 1000
words.

http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm

In one word, it is 'branding.'  In many words,
it goes like this:  TrustBar allows the user to
'sign off' on her favourite banking sites, which
means when that cert is seen it shows a logo
that the user is familiar with.  It also shows
the logo of the CA, which is something that
the user is familiar with.

http://trustbar.mozdev.org/

Note that this is not a popup with techie
messages in it, but an 'advert' that appears
on the chrome.  On the basis of the recognition
of the cert, which belongs to that site, the
browser shows the bright coloured advert
for the bank and for the CA.

Now, a phisher, to attack that, would have to
acquire a cert from the same CA, and get the
user to also sign off on that cert as being her
bank.  Which is hard to do because she already
has signed off on her bank.

So what happens under attack is that the brand
adverts change, and the user should notice that.
This is in effect what branding is, it is a message
to you to notice when you are not drinking your
favourite cola brand, and to make you feel guilty
or something.

So, to use a little handwaving, we do know how
to make the user notice that she is in a different
place - by using the brand concepts that marketing
as a science and art has used for many a century.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list