WebApp Sec mailing list archives
Re: (secure email) Proposal to anti-phishing
From: Michael Silk <michaelsilk () gmail com>
Date: Sun, 23 Jan 2005 23:41:54 -0800
Thats not really "Phishing" though, is it? (http://en.wikipedia.org/wiki/Phishing) It is on one hand in that they are lured to the site, but they don't provide any information, it is stolen from them by the malware. Sure, it's a problem that must be dealt with but to say that client side certificates are useless due to that is silly because that (compromised system) is a problem _no matter what_ solution is implemented ("secure" emails). -- Michael Lyal said:
-----Original Message----- From: Michael Silk [mailto:michaelsilk () gmail com] Sent: Monday, 24 January 2005 3:24 PM To: lyal.collins () key2it com au; webappsec () securityfocus com Subject: RE: (secure email) Proposal to anti-phishing Lyal said:The difference is that client-side SSL exists today in anindustrystandard platform independent manner that could be effectively deployed. (management is a different issue that I will be acoward andignore for now.)It's hard to see how changing the locaiton of a password verification actually makes any difference to accountholder security or phishing.Is it? Surely it's easy to see. Phishing requries the user to enter the password in a website. If they don't need to do this (or only enter partial password) because of certificate, then I think it's pretty easy to see how that is an advantage.Seen the newer generaitons of phishing, where going to the faked bank site loads up the user's PC with spyware, keyloggers et al? Certificates are compromised as soon as any malware enters the machine - which is useless in this phishing scenario.And then there's the pragmatic fact that people will payMicrosoftprotection-racket funds for Microsoft anti-spyware to protect themselves transparently in the background from thecrappy softwareMicrosoft *SOLD* them in the first place...and they will dothis longbefore they'll use any of the "secure email" solutions today that require user interaction & thought. But I'm all for an global standard secure email solution ifyou happento have one of those handy,Actually, my company does - if anyone wants to buy it.Global, is it? Who buys it then? How does it work? Care to share more details, because there is not much information on your site. Doesn't seem any different to what PGP would provide. It's also rather interesting that you claim it "encrypts" everything, but also analyses it for spam, viruses ... now just how does it do that :) ? And what is "content checked". Seems far to "big brother" for my liking.
Current thread:
- RE: (secure email) Proposal to anti-phishing Evans, Arian (Jan 19)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 23)
- <Possible follow-ups>
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 27)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 27)