On Tue, Jan 8, 2013 at 1:28 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Ben Laurie <b...@links.org> writes: > > I've snipped most of this because, although it'd be fun to keep going back and > forth, I'm not sure if everyone else wants to keep reading the exchange (Ben, > we'll continue it over lunch or dinner some time :-).
Absolutely. > There is one point > though that really sticks out: > > Phishing is not something that PKI is intended to address. > > I don't think I've ever heard anyone admit that before. In particular if you > look at sites that talk about SSL's PKI, you see statements like: > > In addition to encryption, a proper SSL certificate also provides > authentication. This means you can be sure that you are sending information > to the right server and not to a criminal.s server. > -- > http://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html Modulo CAs not working correctly, this is what SSL does. So long as you define "the right server" as being "the one with the domain name you navigated to". > > Why SSL protects from phishing > ------------------------------ > [...] > -- > http://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html Well, this cuts to some of the core of the problem: "This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won’t see it." As we know, users don't act on trust indicators in general. And if they did, I'm not so sure phishers wouldn't find a way to get the green address bar. > (that was just the first thing that popped up from a quick Google). So that > leads to two possibilities: > > 1. If browser PKI is meant to deal with phishing, and quite obviously doesn't, > then it's defective and needs to be replaced with alternative mechanisms. > > 2. If browser PKI isn't meant to deal with phishing then WTF are browser > vendors persisting with it and not applying other measures that do actually > work? I would claim that Google is doing exactly that (i.e. applying other measures). >>I don't doubt the effectiveness of the kind of thing you are talking about, >>but what I would find helpful is something actionable - i.e. "if you did X, >>then users would actually better protected, and it won't break the 'net". > > That's pretty much what the longer reference I mentioned contains, there's > something like two to three solid pages of references to research papers and > (admittedly less rigorous) discussions with technical guys from vendors who do > internet malware scanning to protect users from harm. And this is an example of something Google is doing. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography