RE: Smells like a phish, is a fish?

["Tom Stowell" <jts () deforest k12 wi us>]

I agree with you. Maybe we should just encrypt the whole message.

Client-side certificates, put in the kindest of words, are a customer support nightmare come to life. But they're 
probably the best solution we have right now...

http://www.thawte.com/secure-email/personal-email-certificates/index.html


Tom



Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts () deforest k12 wi us>


console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or 
obituaries for the operator.
            -- Stan Kelly-Bootle, The Computer Contradictionary.

> > > "Damhuis Anton" <DamhuisA () aforbes co za> 10/28/05 05:39 AM >>>

Hi,

Signing an email authenticates the origin of an email,
(a) but it still does not stop the contents of the email to be read, while in transit (as far as I know).
(b)It also does not stop the contents being read after an elapsed period of time.

(a) If an attacker saw the message the link in the message while being transmitted, copied the link into a browser, 
they would get access to the account.

(b) If the email lay dormant on the email server for some time, and is then opened, it would/could still give access to 
that account.

That is why I say that something must always be kept secret. It will make sure in both cases that someone could not get 
access to an account.

Another Example
===============
Lets assume there is web site that requires the user to enter their email address and password to log in.

If the user forgets their password, it can be sent to them. An attacker at that point has all the information from the 
email while in transit, and while stored somewhere. Most likely the request would still be valid after 3 weeks.
The site should have a timeout on the sent password. It should also require the user to change their password as soon 
as they log in (thus making the information in the email invalid).

Regards
  Anton

-----Original Message-----
From: Tom Stowell [mailto:jts () deforest k12 wi us]
Sent: 27 October 2005 08:27
To: Damhuis Anton; Ofer.Shezaf () breach com; vanderaj () greebo net;
webappsec () securityfocus com
Subject: RE: Smells like a phish, is a fish?


Greetings,

You say "email is sent over an unencrypted link". I say, why?

I would put forth that phishing is going to be a problem until there is a secure, open, widely deployed standard for 
source-authentication of email.

S/MIME, for example. Maybe businesses should start signing messages, and teach their customers to not trust ones that 
don't have the "golden padlock."

Tom

Confidentiality Warning
=======================

The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.