Frank Hecker wrote:
I thought this was interesting:
http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369
The basic summary: AOL will try to block AOL members' attempts to
connect to phishing sites, using a blacklist of suspected phishing sites
provided by Cyota <http://www.cyota.com/>.
Some brief comments:
* In theory this approach is not dependent on any browser features,
since at a minimum AOL as an ISP could just block connection attempts
"in the cloud". However it may be that AOL is planning some special UI
in the AOL client to support phishing-specific warning messages. The
press release is not clear on whether this feature will work with
non-AOL clients connecting through the AOL network.
The approach is also similar to that of Netcraft's
plugin and I think Trustbar and/or Comodo might have
similar intentions.
* This approach is also not dependent on SSL, much less on CA revocation
of SSL certs. It's also presumably significant faster to detect and
shutdown sites than an approach based on OCSP validation of certs, since
IIRC the current state of OCSP is that the timeframe for revocation is
driven by the schedule for issuance of CRLs, i.e., the results of an
OCSP check are not necessarily any more up to date than the results of a
CRL check.
The average basket of slave boxes was something like
10k for $500 .. these are scary numbers; and it makes
me wonder just how one goes about shutting down a
distributed attack with any speed. Even if you know
all the 10k IP numbers up front, I'd imagine your
router admins would have some rude things to say about
being asked to block so many.
* This approach is obviously analogous to anti-spam blacklists. Whether
it will be more effective in practice than anti-spam blacklists is an
open question; I can think of points both for and against this. However
certainly anything that limits the expected lifetime of a phishing site
is a good thing, and if browsers and other factors were to force
phishing sites to use domain names (as opposed to IP addresses) and SSL
certificates (even domain-validated ones) then this puts a minimum cost
in place per phishing site to weigh against the expected revenue for the
few hours a site might be up before being blocked.
I suspect that the blacklist provider will come under
serious attack, both in concert with phishing attacks,
and more strategically. Do they have the werewithall
to be a single point of failure?
* It is interesting to contemplate Cyota or someone else offering an
analogous service to individual users, e.g., implemented through an IE
add-on or Firefox extension that does real-time checks of the blacklist.
This is more or less there with Netcraft's plugin,
has anyone tried it?
All in all, I am skeptical; I think it moves the bar
up a few cm, but more steroids moves it down again, so
it's another short term fix like the 2 factor tokens
that are being sold now. We'll see! It's a free market
in security solutions.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
