lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41580999.549C1E0F@dessent.net>
Date: Mon, 27 Sep 2004 05:37:45 -0700
From: Brian Dessent <brian@...sent.net>
To: Daniel Veditz <dveditz@...zio.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"


Daniel Veditz wrote:

> How does that help in practice? A user fooled by a link to ebay-support.com
> is just as likely to accept signed mail from foo@...y-support.com. 

You can never help the users who can't help themselves.  What you can do
is help the users who know a little bit about phishing but do not care
to learn the methods de jour of URL forgery and other arcane knowledge. 
In other words you can simply tell them, "if it says it's from @ebay.com
and has a valid signature, it's probably legit.  Otherwise delete and
ignore."  Whereas today you have to tell them to hover over links,
explain all the ways URLs can be obfuscated, check email headers, and so
on.  Sure, the phishers will just start signing their messages as well,
but at least you have more options at hand to check the authenticity.

> mention that the potential profits from phishing could easily finance the
> purchase of a forged cert if someone at one of the built-in CA's was
> corruptible. Given the several that are based in 3rd world companies (not to
> mention recent US corporate scandals) I have no confidence that won't
> eventually happen.

This is why all software should be shipped with the option to check
certificate revocation lists enabled by default.

Brian


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ