headers
Gervase Markham | 3 Dec 2004 18:50
Picon
Favicon
Gravatar

Re: 2004 - The Year of the Phish

Ian Grigg wrote:
> (Just briefly, the Certificate Authority needs to be shown.  

How exactly does this help the average user, who has no idea who 
"Verisign" are, and whether they should be trusted any more than 
"VirtuaRoot" (a name I just invented)?

> Further,
> the cert needs to "tracked" by the browser, and a relationship built
> up.  I've suggested a usage count (100 times to this site, you must
> like it!).  

That's a reasonable idea - sort of like a history for certs. But still 
can't see how you can detect and warn the user of a problem. Do you pop 
up "New secure site" every time you visit a new SSL site?

> Amir and Ahmad have suggested that the user sign off on
> the cert and even coded it up, 

Again, how on earth do you get the user to make a meaningful decision here?

> while Tyler has suggested the use of 
> petnames for the user's idea of what each site is.  

We have that - it's called bookmark keywords.

Gerv
Permalink | Reply |
headers
Tyler Close | 4 Dec 2004 15:25

Re: 2004 - The Year of the Phish


On Dec 3, 2004, at 9:50 AM, Gervase Markham wrote:
>
>> while Tyler has suggested the use of petnames for the user's idea of 
>> what each site is.
>
> We have that - it's called bookmark keywords.

Bookmark keywords and petnames are similar concepts, but with some 
crucial differences. These differences are what thwart phishing 
attacks.

A bookmark keyword is a mapping from a user chosen word to a URL: [ 
keyword => URL ]. The user enters the keyword and the browser navigates 
to the corresponding URL.

In general, a petname is a bidirectional mapping between a user chosen 
word and a self-authenticating designator. In the context of a WWW 
browser, a petname is a mapping from an SSL public key hash to a user 
chosen word: [ SSL public key hash => petname ]. After navigating to a 
URL, the browser looks up the corresponding petname and displays it, or 
displays "unknown" if no petname is currently assigned. It's this 
reverse mapping, not performed by keywords, that thwarts phishing 
attacks. I've written a paper detailing how and why this works, see:

http://www.waterken.com/dev/YURL/Name/

While we're on the topic of bookmark keywords and phishing, I have a 
gripe with the current implementation of keywords in Firefox.
(Continue reading)

Permalink | Reply |
headers
Ian Grigg | 3 Dec 2004 20:17

Re: 2004 - The Year of the Phish

> Ian Grigg wrote:
>> (Just briefly, the Certificate Authority needs to be shown.
>
> How exactly does this help the average user, who has no idea who
> "Verisign" are, and whether they should be trusted any more than
> "VirtuaRoot" (a name I just invented)?

Good question.  The answer:  Branding.  VeriSign
and other CAs would need to establish their brand
with the public.  Verisign would need to act like
Intel or Coke or Ford and establish a brand that
speaks of trust.

The problem is foistered on us somewhat by the PKI
design.  At the moment, any cert signed by any CA
is assumed to be good by the software, but it's
pretty easy to see and to show that that is a really
bad assumption.  Now, if we are going to have a PKI
where a CA is expected to be trusted, then that name
must be known by whoever relies on that trust (the
user).

The alternate is that the CA never needs to stand
up to the trust that the user demands, and thus is
untrusted.  Which is the situation we have now, in
that CAs are essentially trusted in lip service only.
In reality, whether they are worthy of any trust is
a complete lottery, and neither should they bother
to earn that trust, because nobody knows who they
are anyway.  So they can't be punished if they do
(Continue reading)

Permalink | Reply |

Gmane