WebApp Sec mailing list archives
RE: (secure email) Proposal to anti-phishing
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 18 Jan 2005 11:44:36 -0600
-----Original Message----- From: Lyal Collins [mailto:lyal.collins () key2it com au] -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] [snip] Please take a look at the thread that starts http://seclists.org/lists/webappsec/2004/Oct-Dec/0291.html and especially <http://seclists.org/lists/webappsec/2004/Oct-Dec/0347.html> where I explain why I believe SSL client certificates are really the only practical solution to preventing phishing. [snip] Well, there may be one other good option to stop phishing. If emails could be positively identified as coming from a customer's bank, then they could ignore those that don't authenticate as spam/phishing/fraud.
The difference is that client-side SSL exists today in an industry standard platform independent manner that could be effectively deployed. (management is a different issue that I will be a coward and ignore for now.) "secure email"....what is that? It doesn't exist is the problem, unless you want to talk a specific software package or a one of the "secure email portal" solutions (hosted or device). Those aren't any more reasonable than a token. Kiosk. Airport or hotel shared system, etc. Are going to carry around your thumb drive and install PGP and your keyring on every system you use if they let you? And then there's the pragmatic fact that people will pay Microsoft protection-racket funds for Microsoft anti-spyware to protect themselves transparently in the background from the crappy software Microsoft *SOLD* them in the first place...and they will do this long before they'll use any of the "secure email" solutions today that require user interaction & thought. But I'm all for an global standard secure email solution if you happen to have one of those handy, Arian The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: (secure email) Proposal to anti-phishing Evans, Arian (Jan 19)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 23)
- <Possible follow-ups>
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 27)