[Cryptography] Encryption opinion

[Bear]

On Mon, 2014-08-25 at 13:32 +0200, Stephan Neuhaus wrote:
> On 2014-08-25, 12:50, ianG wrote:

> > And, do you think that if they browsers had said "we must eradicate
> > phishing!" they would have succeeded?  Of course the would.

> I'm not sure.  It's very hard (at least NOW it's very hard) to come up
> with a way to tell users that a site is probably a phishing site without
> confusing them even more than they already are.

I think the most effective class of phishing attacks right now in 
fact can easily be beaten.  

This is the message that purports to be from someone with whom you 
have a pre-existing security relationship: your bank, your ISP, 
a business from which you buy things online, or your email provider, 
or whatever.  

The problem here is that the email client checks keys and returns 
"TRUE" or "FALSE" rather than returning "IS WHO IT CLAIMS TO BE" or 
"IS NOT WHO IT CLAIMS TO BE" because right now email clients don't 
have any concept of who the correspondent claims to be.  They're just
checking that, yes, such a certificate exists rather than checking 
that it actually matches the most recent certificate seen from this 
entity.

But an email client certainly can have such a concept.  The receipt 
of even a single authenticated message should establish the concept 
of an authenticated correspondence identity to which any later 
email either clearly does, or clearly does not, belong.  So any 
correspondence that comes from your bank ought to show up in the 
email client, in a secured bin containing nothing except other 
email to and from the same bank.  And if it doesn't, clearly that 
is UI that can give people more of a clue that someone is trying to 
phish them. 


				Bear