Failure of PKI in messaging
Matt Blaze
mab at crypto.com
Mon Feb 12 17:03:32 EST 2007
I'm all for email encryption and signatures, but I don't see
how this would help against today's phishing attacks very much,
at least not without a much better trust management interface on
email clients (of a kind much better than currently exists
in web browsers).
Otherwise the phishers could just sign their email messages with
valid, certified email keys (that don't belong to the bank)
the same way their decoy web traffic is sometimes signed with
valid, certified SSL keys (that don't belong to the bank).
And even if this problem were solved, most customers still
wouldn't know not to trust unsigned messages purporting
to be from their bank.
-matt
On Feb 12, 2007, at 16:43, James A. Donald wrote:
> --
> Obviously financial institutions should sign their
> messages to their customers, to prevent phishing. The
> only such signatures I have ever seen use gpg and come
> from niche players.
>
> I have heard that the reason no one signs using PKI is
> that lots of email clients throw up panic dialogs when
> they get such a message, and at best they present an
> opaque, incomprehensible, and useless interface. Has
> anyone done marketing studies to see why banks and
> massively phished organizations do not sign their
> messages to their customers?
>
> --digsig
> James A. Donald
> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
> BwrcLrYHszR0syC9LdVrjxAionyxVDwbtJq8Xu2q
> 4ky71ODjPeHF5TC4pnkktFaLHEOfFN4fY8JEyqnfn
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list