[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] mail security

To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Subject: Re: [Asrg] mail security
From: Ian Eiloart <iane at sussex.ac.uk>
Date: Tue, 20 Jan 2009 16:35:11 +0000
Delivered-to: ietfarch-asrg-archive at core3.amsl.com
Delivered-to: asrg at core3.amsl.com
In-reply-to: <20090120155005.GJ24908 at verdi>
List-archive: <http://www.irtf.org/pipermail/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
References: <C1A3AC106E91AB28E2226803 at lewes.staff.uscs.susx.ac.uk> <20090120145354.57509.qmail at simone.iecc.com> <20090120155005.GJ24908 at verdi>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Sender: asrg-bounces at irtf.org



--On 20 January 2009 10:50:05 -0500 John Leslie <john at jlc.net> wrote:

John Levine <johnl at taugh.com> wrote:


Let's say you get a message from security at pay-pal.com, which is 100%
DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
short of manually looking up WHOIS registrations?

Well, without all those technologies, it's simple to simply use paypal'sdomain. Then there's no clue. Now, if you use a look-alike domain name,then you're probably violating the trademark. That's illegal, so your ESPand your mail client will be quite justified in looking for domains thatare similar to ones that you trust. That list might come from severalsources - trademark registrars, your address book, your whitelist, and soon.

   Most folks couldn't tell if they _did_ look up WHOIS -- so at first
blush I'd say that's the wrong question.

   Let's think about it differently.

   Why does phishing work?

   It works because the security of financial transactions depends on
obviously insecure passwords (anything simple enough for average folks
to remember _must_ be insecure) entered onto loosely secured websites.

   Compare that to ssh. Is there a record kept of what certificate is
used? Are there obvious warnings when you start a session with a
server whose certificate you've never seen before? Or even a warning
when the certificate changes?

   More to the point: why do financial institutions depend upon code in
browsers instead of calling a separate application for authentication?

Because, when the security is breached the customer pays. That needs tochange. Make the banks liable for frauds that are committed against them,and then they'll start taking it seriously. They'll block insecurebrowsers, and the browser authors will be forced to catch up.

The downside is that it's their poorest customers who may be forced to payfor hardware or o/s upgrades. There's also a risk that they might decide toonly support one browser.

The quality of security in browsers varies from barely adequate to
downright laughable (with a lot of customers using outdated browsers
closer to the laughable end of that range).

   Is there actually any point in trying to solve phishing issues by
verifying the origin of email if the customer is going to depend on
a known-insecure web-browser?

--
John Leslie <john at jlc.net>
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg




--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] mail security
  - From: John Levine

References:
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: Ian Eiloart
- Re: [Asrg] mail security
  - From: John Levine
- Re: [Asrg] mail security
  - From: John Leslie

Prev by Date: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Next by Date: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Previous by thread: Re: [Asrg] mail security
Next by thread: Re: [Asrg] mail security
Index(es):
- Date
- Thread