nanog mailing list archives
Re: Dear RIPE: Please don't encourage phishing
From: William Herrin <bill () herrin us>
Date: Fri, 10 Feb 2012 12:35:56 -0500
On Fri, Feb 10, 2012 at 12:18 PM, Richard Barnes <richard.barnes () gmail com> wrote:
On Fri, Feb 10, 2012 at 8:56 AM, Steven Bellovin <smb () cs columbia edu> wrote:I received the enclosed note, apparently from RIPE (and the headers check out). Why are you sending messages with clickable objects that I'm supposed to use to change my password? [...] attribute field. Click this button for a pop up window that will encrypt a password and enter it directly into the "auth:" field.
So because of phishing, nobody should send messages with URLs in them?
url != clickable object No problem with URLs in email. No problem with clickable objects that are unrelated to security. Minor problem with URLs that lead to changing passwords but can be mitigated by making the URL very plain and easy to read, even by a non-techie. They'll at least have to see the thing, even if the mail client automagically makes it clickable. Big problem with clickable objects which lead to PII (personally identifiable information) or passwords. That's how phishing works -- a disguised url that you either see at all or whose incorrect nature slips right past your brain. The only known working solution is to train folks to *never* click security-related URLs in email. Copy and paste only, and only if they're readable and read right. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Dear RIPE: Please don't encourage phishing, (continued)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Valdis . Kletnieks (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing -Hammer- (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Randy Bush (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Rich Kulawiec (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jeff Kell (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Steven Bellovin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Måns Nilsson (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing William Herrin (Feb 10)
- Re: Dear RIPE: Please don't encourage phishing Jay Ashworth (Feb 10)