On Fri, 17 Aug 2007 20:31:51 +0200
Iljitsch van Beijnum <iljitsch(_at_)muada(_dot_)com> wrote:
On 17-aug-2007, at 17:54, Steven M. Bellovin wrote:
S/MIME would be a fine start. It also won't solve the problem until
someone develops a user interface that DTRT for naive users who
don't understand trust anchors,
Big yellow warning when S/MIME authentication fails in Apple's Mail
is hard to miss even if you don't understand exactly what it is...
You'd be surprised what people will miss... You also have to account
for people missing the presence of S/MIME, i.e., the bad guy just sends
the email without any protection and hopes folks don't notice.
or how to distinguish myfinancialcompany.com from
myfinancia1company.com when both have valid certificates.
So I can register paypa1.com and then go to Verisign to get a
certificate for that domain? If that's true, then I think the law
makers in various jurisdictions have work to do.
Given that paypa1.com was the very first phishing attack I saw, and
that there was a cert... More recently, see
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html
The very simple idea of having a .bank TLD for financial institutions
could also help a lot here.
Same failure modes.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf