[Cryptography] Phishing and other abuse issues [Was: Re: Encryption opinion]

Paul Ferguson fergdawgster at mykolab.com
Thu Aug 28 15:38:49 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Below:

On 8/28/2014 12:28 PM, Bear wrote:

> On Wed, 2014-08-27 at 10:47 +0100, ianG wrote:
> 
>> I spent many years over at Mozilla, trying to get them to do 
>> something, anything about phishing.  They refused.
>> 
>> Once, just once, patient long-winded argument got the engineers 
>> there to say "Oh, you have a point.  Right.  Phishing.  Our 
>> users.  Shit."
>> 
>> To which they added:  "Now you have to go to IETF and PKIX 
>> committee and get them to tell us what to do."
>> 
>> Boom.  The long and the short of it was that the browser vendors
>> had outsourced their security architecture to the standards
>> groups.  (Why they did this is a fascinating study in and of
>> itself.)  So, now that they had no architecture components for
>> security they are entirely dependent on the IETF and/or other
>> folks ... *to tell them what to do*.
>> 
>> Yet, the IETF are unified in their consensus that phishing is
>> not their problem.  Perhaps, a cute social engineering thing that
>> happens to other people, but decidedly not their purview because
>> it ain't no MITM, dammit.
> 
> 
>> See now why I describe MITM as include phishing?
> 
> It becomes clear why you are eager to reclassify it as something 
> that the IETF is interested in stopping, but motivation is 
> subjective and facts are objective. The disconnect remains.
> 
> The IETF is a protocol group; if it isn't a problem that can be 
> solved via protocol, they regard it as being outside their mandate.
>  Even if there were general acceptance of the *idea* that phishing
>  is an MITM, it would be an MITM of a kind that cannot be solved 
> via protocol, and therefore an MITM that the IETF still would not
> be interested in.
> 
> Whether or not it is called an MITM doesn't matter; your problem is
> that the IETF mandate is restricted to protocols.
> 
> At most, if you got a broad consensus, you'd force them to qualify
>  their statement and say more specifically what *kind* of MITMs are
>  and are not their purview.  In my opinion they've failed to
> provide a working remedy even for those, but at least they are
> interested in them.
> 
> What you want sounds like an appeal to the (as yet unformed) IUTF,
>  Internet Usability Task Force, whose mandate specifically is to 
> recommend remedies to problems - particularly security problems - 
> caused by poor user interface.  That mandate definitely includes 
> phishing - and many other security concerns, most notably including
>  my own pet peeve that there is no UI indication of the continuity
>  (or lack thereof) of counterparty identities in any
> cryptographically secured communication.
> 
> 

Might I suggest that a few other organizations might be better
"equipped" to focus on this problem? For starters:

- --> http://apwg.org/
- --> http://m3aawg.org/

- - ferg



- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iF4EAREIAAYFAlP/hUkACgkQKJasdVTchbIkOwD8DmGaC/aVhp5ZvR8euMvG4oD/
HCuxENVzTuvruKkkvOYBAKWSSHmIWyku3IIEkjjKpKBjrcqUwHI0Rce4wbx08y0Y
=yoS+
-----END PGP SIGNATURE-----

More information about the cryptography mailing list