FTR (1)! iang
(((((( Financial Cryptography Update: 2004 - The Year of the Phish ))))))
December 01, 2004
------------------------------------------------------------------------
http://www.financialcryptography.com/mt/archives/000262.html
------------------------------------------------------------------------
Last year, 2003, was a depressing year. We watched the phishing thing loom and
rise, and for the most
part, security experts fudged, denied, shuffled and ignored while the phish was
reeled in. Now, 2004
can truly be said to be the Year of the Phish.
There is progress. Firefox have added two small but nice additions to their
browser to address
phishing. If you download Firefox (and if you haven't yet, you are now
classified as too insecure to
be permitted to browse) you can see these when you go to your banking site. On
the bottom right, there
is a little box containing the domain that is seen by the browser. Also,
notice how the URL bar
changes colour.
Get used to these things, as they are about the only things protecting you from
phishing.
More is needed, however, much much more. Whilst I am somewhat ecstatic that
Mozilla programmers have
started on this journey, the amount done so far is dwarfed by what would be
required to fully address
phishing in the browser, and no other manufacturer of browsers seems to have
even woken up yet.
(Just briefly, the Certificate Authority needs to be shown. Further, the cert
needs to "tracked" by
the browser, and a relationship built up. I've suggested a usage count (100
times to this site, you
must like it!). Amir and Ahmad have suggested that the user sign off on the
cert and even coded it up,
while Tyler has suggested the use of
petnames for the user's idea of what each site is. They all have their
purposes and benefits, and a
solution that used all of these and more would be very powerful against
phishing. Oh, and all this
needs to be "in the face" and not discretely hidden down in some forgotten
corner.)
Most of this was known in 2003, by one means or another. But even though we
have now to all intents
and purposes had a full year of
devastating losses due to phishing (more money lost than was ever spent on SSL
certs) we still can't
say with any degree of confidence that people understand that the browser is
being attacked and the
browser is where the defences should be placed.
--
Powered by Movable Type
Version 2.64
http://www.movabletype.org/
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
