Tom,
the point is "I reach a host and I want to know if that host is the one I
believe to be the host." Not to make faking difficult. The only solution I
would trust right now is a real time synchronous true random multi-channel
loop. This is possible and has a cost. Who is to bear it is the point. If
it is beared by a specialized service provider the standard will be his
standard and he will sell his infrastructure everywhere calling most
probably for uncompatible competition. If you can propose a solution able
to take off quickly at low investment cost for the end-user and using
existing infrastructures, then it is possible to make it a public standard.
jfc
At 15:46 30/12/03, Tom Petch wrote:
I don't know the technical details of how to inhibit part of the download -
yet! - but
doubtless others can help some more.
Two reasons for thinking it is possible - one is that this came up as a con
which had defrauded banks recently. There was a report in the UK national
media about the con with a somewhat scathing suggestion that the banks were
leaving themselves wide open and should download less (but no details
thereof).
Second, I see it empirically; my Windows client has a feature
whereby objects stored in the TIF (Temporary Internet Files) do not get
deleted so I have learnt to delete them manually at regularly intervals;
and so have learnt just how much or how little sites download; some
download everything, others do not. Of course for the ones that do not, I
do not see all it is they are doing so again do not have the
technical details. But I am talking about different server
implementations, not
about a change to the customisation of the caching on the client side.
I believe this is a question of server versus client side processing. The
modern trend is to perform as much processing as possible client side as
this then enables the server to process more clients, but it then requires
the client to be given everything it might need (making spoofing easy). Do
more server side and the client gets less.
Is it more than Frederic suggests, disabling mouse button 2? I think so; I
will tell you as and when I find out. But his point about using
print-screen
to get a screenshot as a counter-counter measure is a good one - the
images, at least, must be downloaded as far as the screen :-)
Tom Petch
-----Original Message-----
From: Parry Aftab <parry(_at_)aftab(_dot_)com>
To: 'Tom Petch' <nwnetworks(_at_)dial(_dot_)pipex(_dot_)com>; 'Mark Smith'
<ipv6(_at_)c753173126e0bc8b057a22829880cf26(_dot_)nosense(_dot_)org>
Cc: franck(_at_)sopac(_dot_)org <franck(_at_)sopac(_dot_)org>;
ietf(_at_)ietf(_dot_)org <ietf(_at_)ietf(_dot_)org>
Date: 23 December 2003 23:49
Subject: RE: [Fwd: [isdf] need help from the ietf list...can someone
postthis for me? or allow me to post directly?]
>What do you mean about having a site not download?
>
>-----Original Message-----
>From: Tom Petch [mailto:nwnetworks(_at_)dial(_dot_)pipex(_dot_)com]
>Sent: Monday, December 22, 2003 1:04 PM
>To: Mark Smith
>Cc: parry(_at_)aftab(_dot_)com; franck(_at_)sopac(_dot_)org;
ietf(_at_)ietf(_dot_)org
>Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone
>postthis for me? or allow me to post directly?]
>
>Banks do make it extraordinarily easy for their sites to be spoofed by
>allowing all their html, .TXT etc to appear in my Temporary Internet
>Folder
>without even me having to lift a finger.
>
>You can make web sites which don't download - time for banks to learn
>about
>this.
>
>Tom Petch, Consultant
>
>-----Original Message-----
>From: Mark Smith
<ipv6(_at_)c753173126e0bc8b057a22829880cf26(_dot_)nosense(_dot_)org>
>To: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
<Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu>
>Cc: parry(_at_)aftab(_dot_)com <parry(_at_)aftab(_dot_)com>;
franck(_at_)sopac(_dot_)org
><franck(_at_)sopac(_dot_)org>;
>ietf(_at_)ietf(_dot_)org <ietf(_at_)ietf(_dot_)org>
>Date: 22 December 2003 13:37
>Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone
>postthis for me? or allow me to post directly?]
>
>
>>I've heard of one recently where the actual page was from the
>legitimate
>bank web site, but the dialog box window asking for username and
>password
>detail was the spoofed component. Everythink, including HTTPS locks,
>URLs
>etc displayed would have looked, and actually were legitimate.
>>
>>
>>On Sun, 21 Dec 2003 20:05:02 -0500
>>Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
>>
>>> On Sun, 21 Dec 2003 18:40:57 EST, Parry Aftab said:
>>> > It's a spoof, phished e-mail. No such credit card. I just confirmed
>with
>>> > the powers that be in PayPal/eBay. The scams are good enough to
>confuse
>>> > even ietf members. See the problem? How can someone tell this was a
>>> > phishing expedition?
>>>
>>> Damned good one, they even got their URL into PayPal's FAQ:
>>>
>>> https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
>>>
>>> Either this is a whole new level of phishing, or the left hand
>doesn't
>know
>>> what the right hand is doing. You tell me.
>>>
>>> > We need some tech guidance?
>>>
>>> Yes, PayPal apparently needs some. guidance in getting their info
>pages
>>> to correspond to their policy - see the above URL, see the mail I
>quoted,
>>> and then see this URL:
>>>
>>> https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=56413
>>>
>>> Also might want to have another chat with your powers that be, they
>>> seem to be out of touch with what their company and their business
>>> partners over at Providian are actually doing.
>>>
>>
>>
>>
>