[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040923192139.GM12669@immunix.com>
Date: Thu, 23 Sep 2004 12:21:40 -0700
From: Seth Arnold <sarnold@...unix.com>
To: bugtraq@...urityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"
On Thu, Sep 23, 2004 at 09:57:03AM -0500, Aleksandar Milivojevic wrote:
> Sometimes it's unbelivable how long it takes organizations to discover
> that email can be signed. Especially nowdays when all major mail
> readers have support for at least S/MIME (and the really good ones have
> support for at least PGP ;-) ).
DE09D78D
888D09A3
18C4ED82
DA081DD1
4CE06F00
CC3D9213
23BDC6F9
Methinks PGP is good for talking within friends, but perhaps trusting
communications from J. Random Corporation with PGP as your best means of
verification is a stretch. The Web Of Trust idea only takes you so far
in combating these problems -- I've heard anecdotal evidence that
someone has replicated the entire "Web Of Trust" graph with identical
uids on keys of EFF members. If one starts the search from the desired
key and searches until finding a plausible name, one is doomed. One must
return to one's own key -- AND have faith that everyone in the middle
played fairly.
http://www.internetnews.com/dev-news/article.php/721571
Even the best-known X.509 Certification Agency has made screwups
regarding one of the best-known publicly traded corporations. How hard
do you think it would be to get certificates for something that sounds
plausibly like a bank? Credit card company?
Cryptography is good at solving many problems. But it is not a magical
problem solver. End users still need to be educated. Your guess is as
good as mine if we'll make progress on the "don't give information to
people who ask for it" front. :)
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists