On Fri, 2004-06-04 at 01:27, Daniel Quinlan wrote:
As far as fixing phishing, there is nothing stopping people from
registering bigbank-customerservice.com to attack people who have
bigbank.com accounts.
You can phish pretty darn effectively without even registering a domain
that seems similar.
Of course. I was only citing an example.
Even with SPF or Caller-ID and even with kick-ass
authentication, accreditation, and reputation systems. All it takes is
patience.
This is exactly my point. Adding authentication and accreditation to the
mix only ends up giving you a false sense of security, especially if you
don't understand how and why those systems are SUPPOSED to work, and where
their weaknesses are. Way too many people are overly trusting.
It's an interesting social problem really. People have been told for a
long while that the little yellow lock is important, that your transaction
is secure. Which is true to an extent: you are protected from man-in-the-
middle attacks thanks to your connection being encrypted. But man-in-the-
middle attacks are rare because they are much harder to pull off. So we've
actually been protecting ourselves from something that isn't as much of
a problem as other things, like phishing, which exists due to weaknesses
in the trust structure, making it much easy to impersonate someone
(and (ab)use trust that already exists between two parties).
Yeah! customerservice(_at_)bigbank-phisher(_dot_)com sent me an email and
bigbank-phisher.com says that it's actually an email from
bigbank-phisher.com! Nevermind the fact that bigbank-phisher.com is NOT
bigbank.com.
This is the same problem with SSL and current browser practices for
https connections.
Not really. You still start your browsing session at www.bigbank.com.
Since email is a push medium, the problem is considerably different.
The methods are considerably different, but the problem is the same: the
inability to accurately measure trust using untrustable tools. And all
the tools have the same problem: you are essentially asking the liar if
he can be trusted.
The SSL lock in the browser is _EXACTLY_ the same as the MUA that
displays a green check mark next to certain addresses to indicate that
they come from authenticated senders. But to determine if someone is
who they say they are, you ASK THEM, for both SSL and phishing
prevention schemes we are talking about now. There are additional
protections we have with SSL, by having root certs that we (implicitly)
trust, but this still isn't bullet proof.
You could start your browsing session at www.bigbank.com, but the
network could have changed out from under you (evil DNS resolver between
you and the internet, for example, that returns phishing sites instead)
-- just because you manually type in "www.bigbank.com" doesn't mean that
you are actually AT Big Bank's website -- it's not like walking into a
branch, which you can be much more sure (but still not 100%, witness
those kinds of schemes where people put up fake ATMs, it is entirely
possible, although unlikely, that the entire bank is made up of
imposters) is actually the bank you intend it to be -- and there is NO
way to verify this short of manually installing the bank's public key
that you signed yourself with your own key, and installing your own key
as a root key in your browser, when you opened your account (short of
other social engineering attacks that could happen at that time). Come
to think of it, this could actually be a good practice -- but it'll be
tough to get the unwashed masses to go along with this "inconvenience"
in the name of security.
In addition, bigbank.com could have been cracked or your client could
have some malicious code on it, both of which are at the ENDS of the
connection. Some of the links could be replaced (perhaps through a DNS
subdomain change, or perhaps through HTML replacement) to go someplace
else -- also over HTTPS/SSL with a valid cert for that place -- and most
browsers won't pop up a warning message in that case either (and if they
did, people would most likely look to have that warning disabled).
Just because you start some place, doesn't mean that's where you end up.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>