ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [saag] Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)

2007-09-11 08:41:36
from [der Mouse] [Permanent Link] 
I really dislike the use of "fishing" with creative spelling in a
document prepared for an international standards organization.


Perhaps unfortunately, that is *the* word for the behaviour in
question, at least in English.  It was not invented for the draft, and
"com[ing] up with something [else]" would be *less* descriptive and
would render the document cryptic to the people who's been working
against phishing for years.  Perhaps it's a bad word to use in other
languages, but that should be addressed by the translator(s) in
question, not by mangling the original.


[...], because it sends a number of very bad messages:



- it's ok for browser vendors to play fast and loose with security
  related UI elements such as the lock icon and the URL bar (i.e.,
  have them controlled by the remote server)



- it's ok for domain vendors to sell domains that use IDN trickery



- it's ok for certificate vendors to sell certificates that seem to
  be tied to some known entity but are in reality tied to a different
  entity


It appears they *are* OK, pragmatically; at least, the first and third
- and quite possibly the second, for all I know - are continuing with
no apparent backlash.


All of these are unacceptable and we as users of these services,
community members, engineers and IETF members should do what we can
to make sure that they don't happen.


Ideally, yes.  Let me know when you manage to get users to drop every
major Web browser and every major cert vendor because they're insecure
against these attacks - never mind when you find users competent to
even understand the issue, much less evaluate Web browsers and cert
vendors in these regards.

In the meantime, I see nothing wrong (and much right) with a draft that
addresses this problem - or at least tries to - in the world as it is,
rather than the world as you, me, and a tiny minority of other people
would like it to be.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               
mouse(_at_)rodents(_dot_)montreal(_dot_)qc(_dot_)ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: [Ietf-http-auth] Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt), Chris Drake
Next by Date:  RE: Last Call: draft-aboba-sg-experiment (Experiment in Study Group Formation within the Internet Engineering Task Force (IETF)) to Experimental RFC, Hallam-Baker, Phillip
Previous by Thread:  RE: Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt), Hallam-Baker, Phillip
Next by Thread:  Re: [saag] Next step on web phishing draft(draft-hartman-webauth-phishing-05.txt), tom.petch
Indexes:  [Date] [Thread] [Top] [All Lists]