On Mon, 12 Feb 2007 17:03:32 -0500 Matt Blaze <[EMAIL PROTECTED]> wrote:
> I'm all for email encryption and signatures, but I don't see > how this would help against today's phishing attacks very much, > at least not without a much better trust management interface on > email clients (of a kind much better than currently exists > in web browsers). > > Otherwise the phishers could just sign their email messages with > valid, certified email keys (that don't belong to the bank) > the same way their decoy web traffic is sometimes signed with > valid, certified SSL keys (that don't belong to the bank). > > And even if this problem were solved, most customers still > wouldn't know not to trust unsigned messages purporting > to be from their bank. > Precisely. The real problem is the human interface, where we're asking people to suddenly notice the absence of something they're not used to seeing in the first place. Yes, there have been studies. They've all been quite disappointing. I'm working on some related material right now, with the financial sector. It's not an easy problem. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]