[Cryptography] Encryption opinion
Bear
bear at sonic.net
Mon Aug 25 14:47:56 EDT 2014
On Mon, 2014-08-25 at 13:32 +0200, Stephan Neuhaus wrote:
> On 2014-08-25, 12:50, ianG wrote:
> > And, do you think that if they browsers had said "we must eradicate
> > phishing!" they would have succeeded? Of course the would.
> I'm not sure. It's very hard (at least NOW it's very hard) to come up
> with a way to tell users that a site is probably a phishing site without
> confusing them even more than they already are.
I think the most effective class of phishing attacks right now in
fact can easily be beaten.
This is the message that purports to be from someone with whom you
have a pre-existing security relationship: your bank, your ISP,
a business from which you buy things online, or your email provider,
or whatever.
The problem here is that the email client checks keys and returns
"TRUE" or "FALSE" rather than returning "IS WHO IT CLAIMS TO BE" or
"IS NOT WHO IT CLAIMS TO BE" because right now email clients don't
have any concept of who the correspondent claims to be. They're just
checking that, yes, such a certificate exists rather than checking
that it actually matches the most recent certificate seen from this
entity.
But an email client certainly can have such a concept. The receipt
of even a single authenticated message should establish the concept
of an authenticated correspondence identity to which any later
email either clearly does, or clearly does not, belong. So any
correspondence that comes from your bank ought to show up in the
email client, in a secured bin containing nothing except other
email to and from the same bank. And if it doesn't, clearly that
is UI that can give people more of a clue that someone is trying to
phish them.
Bear
More information about the cryptography
mailing list