Ian Grigg | 2 Dec 14:42 2004

2005 - The Year of the Snail

FTR (2)!   iang

(((((( Financial Cryptography Update: 2005 - The Year of the Snail ))))))

                           December 01, 2004

------------------------------------------------------------------------

http://www.financialcryptography.com/mt/archives/000263.html

------------------------------------------------------------------------

So if 2004 depressingly swims past us as the year of the Phish, what
then will 2005 bring?

Worse, much worse.  The issue is this: during the last 12 months, the
Internet security landscape changed dramatically.  A number of known,
theoretical threats surfaced, became real, and became
institutionalised.  Here's a quick summary:

1.  Viruses started to do more than just replicate and destroy:  they
started to steal.  The first viruses that scanned for valuable
information surfaced, and the first that installed keyloggers that
targetted specific websites and banking passwords.  Just this week, the
first attack on the root list of SSL browsers was being tracked by
security firms.

2.  Money started to be made in serious amounts in phishing.  This then
fed into other areas, as phishers *invested* their ill gotten gains,
which led to the next development:
(Continue reading)

Ian Grigg | 2 Dec 14:37 2004

2004 - The Year of the Phish

FTR (1)!  iang

(((((( Financial Cryptography Update: 2004 - The Year of the Phish ))))))

                           December 01, 2004

------------------------------------------------------------------------

http://www.financialcryptography.com/mt/archives/000262.html

------------------------------------------------------------------------

Last year, 2003, was a depressing year.  We watched the phishing thing loom and rise, and for the most
part, security experts fudged, denied, shuffled and ignored while the phish was reeled in.  Now, 2004
can truly be said to be the Year of the Phish.

There is progress.  Firefox have added two small but nice additions to their browser to address
phishing.  If you download Firefox (and if you haven't yet, you are now classified as too insecure to
be permitted to browse) you can see these when you go to your banking site.  On the bottom right, there
is a little box containing the domain that is seen by the browser.  Also, notice how the URL bar
changes colour.

Get used to these things, as they are about the only things protecting you from phishing.

More is needed, however, much much more.  Whilst I am somewhat ecstatic that Mozilla programmers have
started on this journey, the amount done so far is dwarfed by what would be required to fully address
phishing in the browser, and no other manufacturer of browsers seems to have even woken up yet.

(Just briefly, the Certificate Authority needs to be shown.  Further, the cert needs to "tracked" by
the browser, and a relationship built up.  I've suggested a usage count (100 times to this site, you
(Continue reading)

zeddock | 2 Dec 20:43 2004
Picon

Re: Virus protection

hankmackxxxx <at> usa.net wrote:
> What type of virus protection are you using for FireFox?  I am running on MS
> Windows.  Thanks
> 
I like Panda Platinum IS.  Not as much marketing in the USA, but it is 
extremely good IMO.
http://www.WebHonor.com
Click on FILES and look.

-zeddock
Gervase Markham | 3 Dec 18:50 2004
Picon

Re: 2004 - The Year of the Phish

Ian Grigg wrote:
> (Just briefly, the Certificate Authority needs to be shown.  

How exactly does this help the average user, who has no idea who 
"Verisign" are, and whether they should be trusted any more than 
"VirtuaRoot" (a name I just invented)?

> Further,
> the cert needs to "tracked" by the browser, and a relationship built
> up.  I've suggested a usage count (100 times to this site, you must
> like it!).  

That's a reasonable idea - sort of like a history for certs. But still 
can't see how you can detect and warn the user of a problem. Do you pop 
up "New secure site" every time you visit a new SSL site?

> Amir and Ahmad have suggested that the user sign off on
> the cert and even coded it up, 

Again, how on earth do you get the user to make a meaningful decision here?

> while Tyler has suggested the use of 
> petnames for the user's idea of what each site is.  

We have that - it's called bookmark keywords.

Gerv
Ian Grigg | 3 Dec 20:17 2004

Re: 2004 - The Year of the Phish

> Ian Grigg wrote:
>> (Just briefly, the Certificate Authority needs to be shown.
>
> How exactly does this help the average user, who has no idea who
> "Verisign" are, and whether they should be trusted any more than
> "VirtuaRoot" (a name I just invented)?

Good question.  The answer:  Branding.  VeriSign
and other CAs would need to establish their brand
with the public.  Verisign would need to act like
Intel or Coke or Ford and establish a brand that
speaks of trust.

The problem is foistered on us somewhat by the PKI
design.  At the moment, any cert signed by any CA
is assumed to be good by the software, but it's
pretty easy to see and to show that that is a really
bad assumption.  Now, if we are going to have a PKI
where a CA is expected to be trusted, then that name
must be known by whoever relies on that trust (the
user).

The alternate is that the CA never needs to stand
up to the trust that the user demands, and thus is
untrusted.  Which is the situation we have now, in
that CAs are essentially trusted in lip service only.
In reality, whether they are worthy of any trust is
a complete lottery, and neither should they bother
to earn that trust, because nobody knows who they
are anyway.  So they can't be punished if they do
(Continue reading)

Tyler Close | 4 Dec 15:25 2004
Picon

Re: 2004 - The Year of the Phish


On Dec 3, 2004, at 9:50 AM, Gervase Markham wrote:
>
>> while Tyler has suggested the use of petnames for the user's idea of 
>> what each site is.
>
> We have that - it's called bookmark keywords.

Bookmark keywords and petnames are similar concepts, but with some 
crucial differences. These differences are what thwart phishing 
attacks.

A bookmark keyword is a mapping from a user chosen word to a URL: [ 
keyword => URL ]. The user enters the keyword and the browser navigates 
to the corresponding URL.

In general, a petname is a bidirectional mapping between a user chosen 
word and a self-authenticating designator. In the context of a WWW 
browser, a petname is a mapping from an SSL public key hash to a user 
chosen word: [ SSL public key hash => petname ]. After navigating to a 
URL, the browser looks up the corresponding petname and displays it, or 
displays "unknown" if no petname is currently assigned. It's this 
reverse mapping, not performed by keywords, that thwarts phishing 
attacks. I've written a paper detailing how and why this works, see:

http://www.waterken.com/dev/YURL/Name/

While we're on the topic of bookmark keywords and phishing, I have a 
gripe with the current implementation of keywords in Firefox.

(Continue reading)

Atta Ullah | 6 Dec 15:06 2004
Picon

Accessing Certificate Store of Mozilla

How can I access the certificate store of Mozilla or netscape
navigator to checkout the imported certificates in the certificate
store.
either using ssn or any other APIs.

Atta
Gervase Markham | 7 Dec 13:37 2004
Picon

Re: 2004 - The Year of the Phish

Ian Grigg wrote:
> Good question.  The answer:  Branding.  VeriSign
> and other CAs would need to establish their brand
> with the public.  Verisign would need to act like
> Intel or Coke or Ford and establish a brand that
> speaks of trust.

Isn't that just reinforcing the monopoly they currently have on SSL 
certs? And raising the barrier to entry for newcomers?

> The problem is foistered on us somewhat by the PKI
> design.  At the moment, any cert signed by any CA
> is assumed to be good by the software, but it's
> pretty easy to see and to show that that is a really
> bad assumption.  Now, if we are going to have a PKI
> where a CA is expected to be trusted, then that name
> must be known by whoever relies on that trust (the
> user).

Or the trust has to be assessed by the user's software provider.

> It's a bit like if I were to sell you a can of
> Coke that was coloured green.  I say it's coke,
> but you know something's wrong coz you've always
> had familiar red cans.  That signal should be
> sufficient to get the average user thinking a
> bit more.

I suspect the average user would (if you told them) just assume it was a 
promotion.
(Continue reading)

Gervase Markham | 7 Dec 13:39 2004
Picon

Re: 2004 - The Year of the Phish

Tyler Close wrote:
> I use Firefox keywords to keep links to my online bank account, and 
> other important accounts. This way, I can be sure I am using the correct 
> URL each time I access the account. Unfortunately, if I mistype the 
> keyword, Firefox does not notify me of my error, but instead navigates 
> to some other site, without providing any indication that something may 
> be amiss.

Yeah, that does suck. You can turn it off, though.

Gerv
Ian Grigg | 7 Dec 14:52 2004

Re: 2004 - The Year of the Phish

> Ian Grigg wrote:
>> Good question.  The answer:  Branding.  VeriSign
>> and other CAs would need to establish their brand
>> with the public.  Verisign would need to act like
>> Intel or Coke or Ford and establish a brand that
>> speaks of trust.
>
> Isn't that just reinforcing the monopoly they currently have on SSL
> certs? And raising the barrier to entry for newcomers?

On a first order analysis, "branding" has that effect.
But, on further analysis of the economic effects of all
the factors, I don't necessarily think so.  There are
these things that can be said:

1.  The reason there is a strong dominating player at
the moment is because there is no way to compete.  The
lack of branding is an indication of lack of competition,
not the reverse.  Basically, the marketplace for certs
is primitive, "broken" in the techies lingo, and adding
branding would be one way to make it competitive.  If
all of the elements were employed ("if PKI is fixed")
then the structure of the marketplace would be very
different.  for example:

2.  One of the essential fixes is to permit a graduated
array of cert protection.  Currently the system is
binary;  either nothing or CA-signed cert.  What we
would desire would be a migration from nothing to self-
signed-certs to bargain CA-signed certs to heavily
(Continue reading)


Gmane