Ian G wrote: > Ram A M wrote: > Netscape talked about phishing?
Consider that the banks were Netscape's customers and the banks' customers were Netscape's users as well. > I think it has also taken the FIs a while to wake > up. They got the call last month only when that > bank in Florida got sued I don't think the FIs believe they "got the call last month." > to be fair, many > FIs have been working quite hard over the last year > or so to deal with the issue. FIs have been paying attention to security issues for much longer than a year. > A supplier who > uses the word 'trust' had better get it right. I am not a supplier, I am a person and as such I don't generally expect perfection to maintain my trust. > In > this case, we have phishing so someone obviously > didn't get it right. There is no "someone" to point the finger at. There is an infrastructure that has had major changes of late and some time is needed for the dust to settle. Off the top of my head I don't know what current estimated losses are due to public network based crimes but my guess is that it is small relative to the equivalent non-network based crimes and as that ratio changes things will improve. > As trust has been used in the > past, and as the situation has been heavily sold by > all and sundry, unravelling who did all that and who > oversold what to whom is going to be interesting. There is a whole industry dedicated to keeping track of what society wants and who to point the finger at. > Well, I think we have to expect some conflict in our > views - I am on the outside looking in, and you are > I guess on the inside looking out. I don't see why that should necessitate disagreement - I think you're a bit pessimistic. > Having said that, > I'm enjoying the chance to debate it with you! I enjoy a good debate. > > I think the larger CA operators would claim they do face threats every > > day. Do you have any data on the enrollment rejection rates? > > > I do not! But I'd be fascinated to hear about it. > I'd be surprised if they did receive serious threats, There are many forms of threat. > as if they did, then some have to slip through, and > we've never heard about those. I am surprised that you've never heard of VeriSign making a mistake in ten years of operations. > >>With any luck there will be > >>some defences in place. If it were to start today, I'd > >>think we'd have big problems. > > > > > > I kind of agree. I think if phishing were 20x more popular we would see > > MoFo et al rushing to either decimate the root-lists or create > > distinctions based on practical differences such as authentication and > > revocation qualities. > > > :-) Which I think would achieve little. But there > you go, that's the essence of the debate. Huhh? > The reason I say 'respond' is that the threat is > right there and attacking right now. 'Lead' ? Fair enough. > > I can agree with you that conservation of > > resources is worthy and that doing something jsut for the sake of not > > doing nothing is a poor idea. However I think there is a strong and > > obvious case for valuing revocation checking. > > > What worries me is that if I was a phisher I'd think > that revocation would be easy to bypass. I must > admit I don't understand quite how revocation is > supposed to work, but it doesn't look like a usefully > strong situation, it seems to be easily subject to > DOS for example. You might find revocation technologies interesting given your passion on the topic. I suggest you consider learning about it. It is not perfect but it is an effective improvement. > I think the fatal flaw here is that > people think that attackers will simply follow the > rules; they don't, they rewrite them to suit them > selves. Professionals don't think that. > Having said all that, we can't predict reliably the > future, we can only ask the question. Would you > rather face the onslaught of phishers against a > revocation service, or have users equipped with > TrustBar-like metrics? Maybe both would be nice, > but right now, it appears that Mozilla is voting > for the revocation approach. You should be pleased, revocation is good stuff. > Let me define 'get it right': A fair effort that > does some positive stuff towards addressing phishing. > (maybe it will include revocation, maybe branding, > who knows...). But, Mozilla's problem is that if > Microsoft gets it right (a fair effort) and Mozilla > doesn't, then the latter's very nice security brand > will be .. subject to some unkind attention. I like a competitive system. If Mozilla and Microsoft and Opera and others compete on security that's not bad. I don't think one single person at any of those organizations would be saddened by progress. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
