Ram A M wrote:
It seems to me FIs are paying the price every day in hard cash - that's pretty motivating. I would have to assume they discuss their concerns with everyone they think might be able to help. I am confident that Netscape had many a talk with many a large FI during it's lifetime.
Netscape talked about phishing?
I think it has also taken the FIs a while to wake up. They got the call last month only when that bank in Florida got sued, so some of them may still be behind on the situation, and I just yesterday blogged an article by an industry expert that was bemoaning the state of the security industry, but didn't even recognise that phishing existed. This is the exception I think and hope, to be fair, many FIs have been working quite hard over the last year or so to deal with the issue.
On the whole though, FIs are a bit strapped for solutions as the attack is on the browser, not on their site ... not always the case, see the Netcraft report of cross-platform scripting that they are having to deal with.
I'm not sure where Netscape would be in all this, I suspect they are not in a good position as they wouldn't have much entre now, their browser size being too small, but they have a lot of exposure.
If I was a CA I'd be panicing by now, because CAs are obvious targets when it comes to phishing, and a class action jury isn't necessarily going to follow all the ins and outs of the CPS/CP and all that stuff.
CAs have been targets for as long as they have been part of the gate-keeping system - that's a good argument in favor of requiring effective revocation support for the 'good enough for electronic banking' category of CAs and the code-signing category of CAs. I am many things, a lawyer is not one of them. My understanding is that best practices and best effort are very important criteria in law. That's part of why I think eventually software providers and CAs alike will be driven to quality with respect to security as well.
No, I'm not a lawyer either, but it's instructive to see where this one goes.
I'd suggest you avoid using the word 'trust.' It will cause problems when someone calls you on it.
Eh. I trust the local instance of a big-brand gas station to provide gas of a quality sufficient to keep my car happy. This is because I know they value their brand and their revenue, both of which are tied to reliability of their product. My trust in that gas station does not lead me to expect them to advise me that there is a defect in the brake-system design of my car, not unless they provide brake-system inspection services. I assume that most of the time I interact with reasonable people or companies and so I expect reasonable interpretations; when that's is not the case I am more much careful about my presentation. I don't feel this is a hostile environment over-ridden with pendantic arguments; if that changes I will change my style to suit.
Sorry, to clarify - too many hats. A supplier who uses the word 'trust' had better get it right. In this case, we have phishing so someone obviously didn't get it right. As trust has been used in the past, and as the situation has been heavily sold by all and sundry, unravelling who did all that and who oversold what to whom is going to be interesting.
...
! Well, there you go. As VeriSign has no way to reach ordinary users in the operations of its product, I'm not sure what the market research would test.
I said "not very well empowered" you said "no way." We may genuinely disagree about this.
Well, I think we have to expect some conflict in our views - I am on the outside looking in, and you are I guess on the inside looking out. Having said that, I'm enjoying the chance to debate it with you!
I think those little logos on websites make a differnce to people - that's the effect of brand. Notice I said "a difference", not perfect anything, this is not the end state but only the current state in what I believe is still a relatively nascent infrastructure.
So those little logos were sold as trustworthy (in some definition of the word) yet any phisher can copy them. Verisign issued a press release about 2 years back strongly suggesting that browser manufacturers consider putting their logos on the chrome. That may be a very valuable press release for them.
It is, and I'm somewhat surprised that nobody's called me on it before ;) This is a very strategic debate, it's about what happens in the next wave of phishing, where CAs have to face threats.
I think the larger CA operators would claim they do face threats every day. Do you have any data on the enrollment rejection rates?
I do not! But I'd be fascinated to hear about it. I'd be surprised if they did receive serious threats, as if they did, then some have to slip through, and we've never heard about those. Occams razor suggests that almost all rejection rates would be due to cert purchaser error rather than fraud pickup.
With any luck there will be some defences in place. If it were to start today, I'd think we'd have big problems.
I kind of agree. I think if phishing were 20x more popular we would see MoFo et al rushing to either decimate the root-lists or create distinctions based on practical differences such as authentication and revocation qualities.
:-) Which I think would achieve little. But there you go, that's the essence of the debate.
Although you bring up an interesting point - it may be that the resistence of technical people to user engagement in the security process is based on the "impending" revocation services. So it is certainly apropos.
The other thing to bear in mind is that if the revocation and/or OCSP concepts work then the Netcraft community toolbar concept will work as well. Something for CAs to bear in mind...
http://www.financialcryptography.com/mt/archives/000397.html
Sure, once we have some basic figures on how much fraud these things stop, one can look at the benefit of tuning. Until those figures are in, however, I wouldn't advise too much tuning, that would be premature optimisation.
No offense but I hope the MoFo community disagres with you.
Your hope is granted, they disagree frequently and at length with me :-)
From my perspective your comment seems to require that until this kind of analyses is provided or becomes available to MoFo that it should only respond and not lead.
The reason I say 'respond' is that the threat is right there and attacking right now. 'Lead' ? I'm not sure what you mean by that. But no-one can do anything but respond, and if they are not responding by now, they are compounding their negligence. (Easy for me to say, I know...)
I can agree with you that conservation of resources is worthy and that doing something jsut for the sake of not doing nothing is a poor idea. However I think there is a strong and obvious case for valuing revocation checking.
What worries me is that if I was a phisher I'd think that revocation would be easy to bypass. I must admit I don't understand quite how revocation is supposed to work, but it doesn't look like a usefully strong situation, it seems to be easily subject to DOS for example. I'm somewhat minded to the Yahoo experience where their digsig technology actually gave spammers an advantage. Not wishing to blow ones own trumpet there, but that was kind of obvious from the start. I think the fatal flaw here is that people think that attackers will simply follow the rules; they don't, they rewrite them to suit them selves.
Having said all that, we can't predict reliably the future, we can only ask the question. Would you rather face the onslaught of phishers against a revocation service, or have users equipped with TrustBar-like metrics? Maybe both would be nice, but right now, it appears that Mozilla is voting for the revocation approach.
Right now, it's a catch up game - catching up with the phishing.
This has the benefit of having a really clear target. Fix phishing. Doesn't get much clearer than that.
But it does mean that the market is moving and Mozilla has a clear choice - react now as it sees it move, or react too late, and then pay the penalty. The other thing that is very clear is that the next milestone is "this summer" when Microsoft releases its anti- phishing release of IE. Better have a good story to tell by then, just in case Microsoft surprise us all and get it right.
"Get it right" sounds a lot like perfect to me. I think there is value to making imperfect progress. That doesn't require MoFo doing something which eliminates phishing, unless you want the same strategy for phishing that folks are pursuing for spam [hold on, someone will come up with a perfect solution that eliminates all spam, protects individual privacy, costs nothing, and has no phase-in problems].
LOL... no, see my comments on spam above.
Let me define 'get it right': A fair effort that does some positive stuff towards addressing phishing. (maybe it will include revocation, maybe branding, who knows...). But, Mozilla's problem is that if Microsoft gets it right (a fair effort) and Mozilla doesn't, then the latter's very nice security brand will be .. subject to some unkind attention.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
