[Cryptography] Phishing and other abuse issues [Was: Re: Encryption opinion]
Paul Ferguson
fergdawgster at mykolab.com
Thu Aug 28 15:38:49 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Below:
On 8/28/2014 12:28 PM, Bear wrote:
> On Wed, 2014-08-27 at 10:47 +0100, ianG wrote:
>
>> I spent many years over at Mozilla, trying to get them to do
>> something, anything about phishing. They refused.
>>
>> Once, just once, patient long-winded argument got the engineers
>> there to say "Oh, you have a point. Right. Phishing. Our
>> users. Shit."
>>
>> To which they added: "Now you have to go to IETF and PKIX
>> committee and get them to tell us what to do."
>>
>> Boom. The long and the short of it was that the browser vendors
>> had outsourced their security architecture to the standards
>> groups. (Why they did this is a fascinating study in and of
>> itself.) So, now that they had no architecture components for
>> security they are entirely dependent on the IETF and/or other
>> folks ... *to tell them what to do*.
>>
>> Yet, the IETF are unified in their consensus that phishing is
>> not their problem. Perhaps, a cute social engineering thing that
>> happens to other people, but decidedly not their purview because
>> it ain't no MITM, dammit.
>
>
>> See now why I describe MITM as include phishing?
>
> It becomes clear why you are eager to reclassify it as something
> that the IETF is interested in stopping, but motivation is
> subjective and facts are objective. The disconnect remains.
>
> The IETF is a protocol group; if it isn't a problem that can be
> solved via protocol, they regard it as being outside their mandate.
> Even if there were general acceptance of the *idea* that phishing
> is an MITM, it would be an MITM of a kind that cannot be solved
> via protocol, and therefore an MITM that the IETF still would not
> be interested in.
>
> Whether or not it is called an MITM doesn't matter; your problem is
> that the IETF mandate is restricted to protocols.
>
> At most, if you got a broad consensus, you'd force them to qualify
> their statement and say more specifically what *kind* of MITMs are
> and are not their purview. In my opinion they've failed to
> provide a working remedy even for those, but at least they are
> interested in them.
>
> What you want sounds like an appeal to the (as yet unformed) IUTF,
> Internet Usability Task Force, whose mandate specifically is to
> recommend remedies to problems - particularly security problems -
> caused by poor user interface. That mandate definitely includes
> phishing - and many other security concerns, most notably including
> my own pet peeve that there is no UI indication of the continuity
> (or lack thereof) of counterparty identities in any
> cryptographically secured communication.
>
>
Might I suggest that a few other organizations might be better
"equipped" to focus on this problem? For starters:
- --> http://apwg.org/
- --> http://m3aawg.org/
- - ferg
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iF4EAREIAAYFAlP/hUkACgkQKJasdVTchbIkOwD8DmGaC/aVhp5ZvR8euMvG4oD/
HCuxENVzTuvruKkkvOYBAKWSSHmIWyku3IIEkjjKpKBjrcqUwHI0Rce4wbx08y0Y
=yoS+
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list