[Cryptography] Phishing and other abuse issues [Was: Re: Encryption opinion]

Fri Aug 29 01:06:43 EDT 2014

Reminds me of the old saying about computer science problems and another layer of indirection, except in reverse this time. Take the basic example: Alice wants to work with "her bank." Computers don't quite know yet how to read minds, so we solved the problem with one layer of indirection. Alice is told that she should really connect to https://www.rabbitholebank.co.uk/. 

Of course, that degree of indirection is executed inside Alice's brain. That leaves the door open to all kinds of attacks that target the space behind the users' eyes, to trick her into an alternative indirection, say to https://www.rabbitholebanc.co.uk/, or even to https://www.phishingareus.info/... Just need a page layout that is convincing enough for Alice, and she might not pay attention to the fine print at the top of the browser.

Iang calls that a MITM attack. IMHO, that's a poor choice of words, because 99.9% of the community will use MITM to designate a potential attack that inserts a hacker between Alice and https://www.rabbitholebanc.co.uk/, or even between Alice and https://www.phishingareus.info/. But the problem is real, and is worth addressing.

Maybe we should teach computer how to read minds. Or do some approximation with voice recognition, bookmarks, etc. But we should not just ignore the issue.

- -- Christian Huitema
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUAAphAAoJELba05IUOHVQl2MH/iT0ra56mAUD3ue//jFGRQhl
Mr3JJ1UaGD37xDgl/AAkYRQwkZrZ5JdcCFqlge+OIVWDryMOTfqAYNztICuxbzuS
aSESfzEud9q2jkDH2Sy92jKdkV7uIZaVIWX813vSIdUPIHsWWffNmqJQS1zgkSU2
qqvnJWjy3+N/p/oEqNR0HakdowA7geBQxYqZAZ0uqIgv7ZmIQe87N+WCU9aBlZCg
qvsUiglW+HxDxc3TpbaH/Nxk8wUSmw5wmOv8R/d8j1zvb8uCNlajesfNbjTVM9FI
EMewKfAIqmehzyh2CYsLMkUVZ58FF5XTDm/Mykg5Syz8ZAqYS/qnYvdcRmKMGs8=
=CuD+
-----END PGP SIGNATURE-----