John Levine wrote:
Thanks! But, our prototype (for Mozilla) allows you also to select the Logo (or icon) for the site manually, although having it already signed by a trusted authority could be nice. Also: the trusted area can also display other credentials of the site, and in particular - logo and/or name of the CA.Reminder: following lots of discussion on this list, I wrote proposals on how crypto can help solve phishing, spoofing and spamming problems. ... # Protecting (even) Naive Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites, at http://eprint.iacr.org/2004/155/ (or off http://AmirHerzberg.com)This is a pretty good paper. It outlines the problem and proposes that browsers add a "trusted credential area" that displays a site logo that has to be signed by a CA using SSL, in a way that is hard to spoof or forge.
I completely agree that existing CA solution in browser is lousy; did you notice that the main requirement to become a CA is to be a CPA (certified public accountant) and pay 1400$ to WebTrust? (more in paper)
I've been discussing a similar idea with a lot of people that has one important difference: the seal belongs to the CA and is distributed as part of the verification certificate. Per-site logos have the disadvantages that there are a lot of sites, not all with famous logos, and there are a lot of CAs, most of whose primary verification technique is to be sure your check didn't bounce.
That's why manual logo approval by the users is an important first step (works great - I don't know how I ever used e-banking without it). Second step may be for users to share these user-certified logos, and finally - for some trustworthy organizations to provide logo certificates.
Agree! We call this a credential, see in paper or just this screen shot http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image006.gif
In most industries there is a regulator or trade association who already knows who the legitimate players are. That's who should be running the CA for that industry, with an industry wide logo that they could advertise, something like a golden dollar sign that tells you that a site is really a bank. I spoke briefly to a guy from the FDIC at last year's antiphishing meeting who said they'd been thinking of something like that.
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & security)
begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com version:2.1 end:vcard
