Ben Laurie wrote:
Ian Grigg wrote:
Too many words? OK, here's the short version
of why phising occurs:
"Browsers implement SSL+PKI and SSL+PKI is
secure so we don't need to worry about it."
PKI+SSL *is* the root cause of the problem. It's
just not the certificate level but the business and
architecture level. The *people* equation.
PKI+SSL does not _cause_ the problem, it merely fails to solve it. You
may as well blame HTTP - in fact, it would be fairer.
Well, blaming a protocol which is an inanimate
invention of man is always unfair, but so is
avoiding the issues by quibbling on the meanings.
Blaming HTTP is totally unfair as it never ever
promised to protect against spoofs.
PKI+SSL promised to detect and cover spoofs. In
fact, the original point of PKI was to close out
the MITM or spoof, and was then enlarged somewhat
confusingly to provide some sort of commerce
guarantee on the stated identity (c.f, Lynn's
amusing stories of CAs gone mad with dollarlust.)
Originally, Netscape's browser implemented the
complete anti-spoofing UI and included more info
on the screen. This was then dropped in the
screen wars, against the advice of security
engineers at Netscape. (Ref: comments by Bob
R.)
So, to repeat: It's not the certificate
level but the business and architecture level.
The *people* equation. It's the people who
implement the PKI+SSL model and don't do it
properly that are the root cause of phishing.
Petnames, Trustbar, DSS are some of the solutions
that work *positively* and *constructively* to
close the loopholes in the browser's implementation
of PKI+SSL.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
