On 4/20/05, Frank Hecker <[EMAIL PROTECTED]> wrote: > I thought this was interesting: > > http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369 > > The basic summary: AOL will try to block AOL members' attempts to > connect to phishing sites, using a blacklist of suspected phishing sites > provided by Cyota <http://www.cyota.com/>. > > Some brief comments: > > * In theory this approach is not dependent on any browser features, > since at a minimum AOL as an ISP could just block connection attempts > "in the cloud". However it may be that AOL is planning some special UI > in the AOL client to support phishing-specific warning messages. The > press release is not clear on whether this feature will work with > non-AOL clients connecting through the AOL network.
Google has a report phishing feature and a phishing detection feature in GMail. Perhaps they will work together to improve the over all safety of the community. > * This approach is also not dependent on SSL, much less on CA revocation > of SSL certs. It's also presumably significant faster to detect and > shutdown sites than an approach based on OCSP validation of certs, since > IIRC the current state of OCSP is that the timeframe for revocation is > driven by the schedule for issuance of CRLs, i.e., the results of an > OCSP check are not necessarily any more up to date than the results of a > CRL check. Actually in the common case of a CA operating an OCSP responder the revocation information can be as current as the request even if the relevenat CRL isn't updated for hours (or days). That is OCSP revocation is as timely as identifying operational policy violation so I suggest you turn OCSP checking on in your personal browser configuration as that will save you from some phishing, pharming, and homograph attacks. > * This approach is obviously analogous to anti-spam blacklists. Whether > it will be more effective in practice than anti-spam blacklists is an > open question; I can think of points both for and against this. However > certainly anything that limits the expected lifetime of a phishing site > is a good thing, and if browsers and other factors were to force > phishing sites to use domain names (as opposed to IP addresses) and SSL > certificates (even domain-validated ones) then this puts a minimum cost > in place per phishing site to weigh against the expected revenue for the > few hours a site might be up before being blocked. I agree, if I can paraphrase -> limiting the benefits of fraud reduces fraud. > * Apparently Cyota originally marketed their FraudAction anti-phishing > service to banks, presumably to support banks' effort to shut down > phishing sites impersonating them. Clearly if I were Cyota I would be > trying to market this now to every major ISP, since it would clearly be > a feature ISPs could market to their users (as AOL is doing), at least > until every ISP implements something like this. This is an active market. There are several companies offering take down or monitoring related services for FIs and other high value targets, including VeriSign. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
