Frank Hecker wrote: > * In theory this approach is not dependent on any browser features, > since at a minimum AOL as an ISP could just block connection attempts > "in the cloud". However it may be that AOL is planning some special UI > in the AOL client to support phishing-specific warning messages. The > press release is not clear on whether this feature will work with > non-AOL clients connecting through the AOL network.
Why go to the trouble of hacking something into a browser then getting everyone to upgrade when you can just throw up an error message and have the site blocked by transparent proxies that carry a black list of URLs... Could even go so far as allowing the user to over-ride if they really really want to, would help with the false positive situation, where an innocent site is blocked because of poor list management etc... > * This approach is also not dependent on SSL, much less on CA revocation Everyone keeps mentioning SSL and phishing, and the only person to have claimed to have seen an ssl phishing attack actually had a certificate signed by a built-in CA, while it might occur in future, this will require a LOT of user education, after all people are stupid enough to open up zip files and still infect themselves, until the level of education increase (highly unlikely at the current rates), I don't see that SSL will be considered much benefit to the guys doing phishing attacks as it would increase the risk of tracking them down, verses little or no real benefit. > * This approach is obviously analogous to anti-spam blacklists. Whether > it will be more effective in practice than anti-spam blacklists is an > open question; I can think of points both for and against this. However The against depends on how they handle blocking, if they do it in some kind of sane manner where they verify each address, rather then blindly accepting requests then maybe, otherwise they'll end up like a lot of RBL's in that they are over zealously added to and end up doing harm (and getting sued?) to real businesses. RBL's in some cases are ok, others aren't, it's all about the implementation... > * Apparently Cyota originally marketed their FraudAction anti-phishing > service to banks, presumably to support banks' effort to shut down If their list of current clients is valid and anything to go by it looks like they managed to get business from a fair few banks... > * It is interesting to contemplate Cyota or someone else offering an > analogous service to individual users, e.g., implemented through an IE > add-on or Firefox extension that does real-time checks of the blacklist. > Implementation issues aside, this would directly provide information to > phishers as to whether or not their sites were on the blacklist yet, but > I presume they could determine that anyway just by trying to connect to > it through AOL or another ISP offering the service. There is going to be a time frame that they won't be black listed, not to mention not everyone will be subscribed or use the service, so this will simply increase the number of hacked sites used, or increase domain registrations before spam then dump random domains in random emails... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
