Re: the curse of the S(imple) protocols, was: Re: e2e

["Steven M. Bellovin" <smb at cs.columbia.edu>]

On Fri, 17 Aug 2007 20:31:51 +0200
Iljitsch van Beijnum <iljitsch at muada.com> wrote:

> On 17-aug-2007, at 17:54, Steven M. Bellovin wrote:
> > S/MIME would be a fine start.  It also won't solve the problem until
> > someone develops a user interface that DTRT for naive users who
> > don't understand trust anchors,
> Big yellow warning when S/MIME authentication fails in Apple's Mail
> is hard to miss even if you don't understand exactly what it is...

You'd be surprised what people will miss...  You also have to account
for people missing the presence of S/MIME, i.e., the bad guy just sends
the email without any protection and hopes folks don't notice.
> 
> > or how to distinguish myfinancialcompany.com from
> > myfinancia1company.com when both have valid certificates.
> 
> So I can register paypa1.com and then go to Verisign to get a
> certificate for that domain? If that's true, then I think the law
> makers in various jurisdictions have work to do.

Given that paypa1.com was the very first phishing attack I saw, and
that there was a cert...  More recently, see
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
> 
> The very simple idea of having a .bank TLD for financial institutions
> could also help a lot here.
> 
Same failure modes.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf