On 7-Jul-06, at 1:06 PM, Hallam-Baker, Phillip wrote:
[mailto:[EMAIL PROTECTED] On Behalf
1) Most sites are not targeted by phishers today, and
unlikely to be targeted in the future, so they should not be
forced to put in technology for resolving phishing.
This is completely wrong.
Every type of site is targetted by criminal schemes, blogs are
currently targets for spam and for dropping trojans onto user
machine via spyware.
If I can get hold of a blogger's username and password I can
install a trojan dropper onto their site. Blogger has been infested
with hundreds of thousands of sites with music backgrounds provided
by spyware companies.
There are already extensive attacks against search engines. If you
can see the searches someone has done recently you can quickly
build up a picture to use in an identity theft.
Just to clarify, phishers are spoofing Google and Blogger to steal
credentials? If so, I stand corrected.
2) Currently the user has NO trusted site or client and is
easily phished. Once the user has one trusted software
system, then that system can more easily determine the
identity of other sites. In other words, the user will not
have to build up the full assurance stack with each site, the
user can leverage something they already trust to assist in
making the trust decision.
The problem is not a lack of trusted sites, it is a lack of sites
that are trustWORTHY.
Agreed. Semantics is not one of my stronger skills. :-)
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
