At 3:51 PM -0800 3/6/03, Nate W wrote:
> The other problem with challenge/response systems is that there's a
missing link in the interface.
I go to a web site and purchase something. They send me an email
receipt. How exactly are they going to automatically get through my
challenge response?
Sometimes I whitelist the domain beforehand, most times I just check the
'holding pen' folder for a message from the merchant some time later.
The question is not how we do it. But how someone's grandmother is
going to do it. There is no interface. It's an error-prone and
manual process. It also completely fails when a company changes it's
name, or when the primary domain is not the same as the particular
store you shopped at.
One can certainly imagine standards to deal with this problem.
Browser plugins, special URLs....
But fundamentally whitelisting fails without authentication.
In fact, I just got one such. A social engineering paypal theft
scam. Mail from Canada, with a form that submits to Rusia, which
then sends the email to Florida. Fortunately it fails a trivial
header check.
Return-Path: <2et8t2n(_at_)linenoise(_dot_)net>
Received: from 24.222.182.119 ([24.222.182.119] verified)
by somewhere.com (CommuniGate Pro SMTP 3.5.7)
with SMTP id 2086244 for xxxx; Thu, 06 Mar 2003 17:08:43 -0500
Date: Thu, 06 Mar 2003 18:19:51 -0600
From: info(_at_)paypal(_dot_)com
To: xxx
Subject: Your PayPal account is Limited.
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Message-ID: 3372C50E-CC148FC-1695607-1D543072-4C9F48EE(_at_)paypal(_dot_)com
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg