[Cryptography] Encryption opinion

Bear bear at sonic.net
Thu Aug 28 15:28:21 EDT 2014 

On Wed, 2014-08-27 at 10:47 +0100, ianG wrote:

> I spent many years over at Mozilla, trying to get them to do
> something, anything about phishing.  They refused.
> 
> Once, just once, patient long-winded argument got the engineers 
> there to say "Oh, you have a point.  Right.  Phishing.  Our 
> users.  Shit."
> 
> To which they added:  "Now you have to go to IETF and PKIX 
> committee and get them to tell us what to do."
> 
> Boom.  The long and the short of it was that the browser vendors had
> outsourced their security architecture to the standards groups.  (Why
> they did this is a fascinating study in and of itself.)  So, now that
> they had no architecture components for security they are entirely
> dependent on the IETF and/or other folks ... *to tell them what to
> do*.
> 
> Yet, the IETF are unified in their consensus that phishing is not
> their problem.  Perhaps, a cute social engineering thing that happens
> to other people, but decidedly not their purview because it ain't no
> MITM, dammit.


> See now why I describe MITM as include phishing?

It becomes clear why you are eager to reclassify it as something 
that the IETF is interested in stopping, but motivation is 
subjective and facts are objective. The disconnect remains. 

The IETF is a protocol group; if it isn't a problem that can be 
solved via protocol, they regard it as being outside their mandate.  
Even if there were general acceptance of the *idea* that phishing 
is an MITM, it would be an MITM of a kind that cannot be solved 
via protocol, and therefore an MITM that the IETF still would 
not be interested in.  

Whether or not it is called an MITM doesn't matter; your problem 
is that the IETF mandate is restricted to protocols.

At most, if you got a broad consensus, you'd force them to qualify 
their statement and say more specifically what *kind* of MITMs are 
and are not their purview.  In my opinion they've failed to provide 
a working remedy even for those, but at least they are interested 
in them. 

What you want sounds like an appeal to the (as yet unformed) IUTF, 
Internet Usability Task Force, whose mandate specifically is to 
recommend remedies to problems - particularly security problems - 
caused by poor user interface.  That mandate definitely includes
phishing - and many other security concerns, most notably including 
my own pet peeve that there is no UI indication of the continuity 
(or lack thereof) of counterparty identities in any cryptographically
secured communication. 


			Bear

More information about the cryptography mailing list