[Cryptography] Phishing and other abuse issues [Was: Re: Encryption opinion]

[Viktor Dukhovni]

On Thu, Aug 28, 2014 at 10:06:43PM -0700, Christian Huitema wrote:

> Maybe we should teach computer how to read minds. Or do some
> approximation with voice recognition, bookmarks, etc. But we should
> not just ignore the issue.

This is of course at that point no longer an IETF issue, rather an
application and user-interface design issue.

Speaking of applications, part of the problem is that banks don't
provide the client side of banking applications.  Rather a general
purpose browser is now the universal application platform, and the
browser has no knowledge of either the user's intentions, or the
boundaries of the set of remote resources that comprise any given
remote service.

I solve this problem with a dedicated account on a MacOSX machine,
that is used solely for banking, and has "Parental Controls" enabled,
restricting the Safari browser to connect exclusively to the bank
and nowhere else.  The account in question does not read email, nor
browse the rest of the web.

By jumping through these hoops I get a simulacrum of a banking
application which is moderately trustworthy.

To make progress the application folks will have to figure out how
to deliver safe function-specific interfaces to users.  This is a
difficult problem, compounded by economic externalities.  Banks
own ATM machines, but they don't own any of the various mobile
platforms, and have little influence over their design.

-- 
	Viktor.