ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-09 13:36:00
This assumes that social problems have to be solved only in the
technical realm in order to be useful. I'm sure that John will snort
his coffee through his nose, but training users to only expect to
hear from paypal from paypal.com is most likely part of the
solution.

John had fortunately put his coffee down before reading your message.

I entirely agree that user education is a key part of the approach
to phishing.  As you may have heard, I've written a few books somewhat
relevant to education of Internet users.

But if we're going to educate users, wouldn't it be better to tell
them to do something that they can plausibly do and that works?
Forcing bad guys to use lookalike domain names, expecting senders to
use only a handful of domains, and expecting users to reliably tell
the real domains from the fake ones flies in the face of experience.

Bad guys are already using all sorts of tricks to fake out the
appearance of domain names.  Some are pretty obvious, like this,
which I think still works in many Windows MUAs:

 From: "Paypal Security <security(_at_)paypal(_dot_)com>" 
<phisher(_at_)highschool(_dot_)ro>

or they use typo-alikes like paypa1 and, with the advent of IDNs, the
number of typo-alikes vastly increases.  Or they use HTML to put a
fake From: line buffer at the top of the message window that matches
the appearance of popular MUAs.  Or any of a dozen other things they
already do now.

What's the point of a security measure that the bad guys already know
how to get around?

Here's the approximate model of the educated user depending on SSP:

1) Incoming message appears to be from a bank.

2) Try and remember exactly what domain your bank uses.

3) Find the domain name in the return address.  Are you sure that's
really the domain?  Maybe you should do a right-click and view the
message source just to be sure.

4) Compare the domain name pixel by pixel, checking for typo-alike
characters.  Are the pixels exactly right?  Are you sure that's a letter
O rather than a greek or cyrillic omicron?

5) Name doesn't match?  Did your bank merge or change its name lately?
Return to step 2.

6) ad nauseam

On the other hand, if we encourage whitelists of real banks, the
user's model is like this:

1) Incoming message appears to be from a bank.

2) Does the MUA show the golden dollar sign that means it's from a
real bank?

3) Done.

If banks want to use 37 funky domains, they can register them all with
the whitelist.  If the bank's name changes, it's one whitelist update
rather than a million re-educated users.

I hope we all agree that phishing is basically a social problem with
social solutions, but some technology is a lot more helpful than
others when putting those social solutions in place.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>