On Sat, Sep 10, 2011 at 4:01 PM, Peter Gutmann <[email protected]> wrote: > > Sure, figuring out whether it'll actually work is an experiment. OTOH we have > vast masses of data on what phishers are doing, so while we can't easily tell > what will work, we can tell fairly easily what won't work. If it doesn't > address anything that phishers are doing then we know, without even bothering > to deploy it, that it'll have no effect.
I feel like we're not really arguing here. Nevertheless it is Saturday, and I'm bored, so here goes. 1. Phishing isn't the only problem right? 2. To some degree this is a game where we have to guess their next step, and make that harder too. 3. Who are the people arguing that TLS/HTTPS is a defense against phishing that is doing any "real" work on any of this other than pitching products/junk? Getting to credentials that can't be easily given away to the wrong party would certainly be a step in the right direction. Several things are hopefully working in that direction. I'd love to have some stats on whether people who use things like 1password/lastpass actually get compromised less since those tools save your password, and know whether you're on the "right site." Please don't forget that in the presence of malware on the client machine most of this doesn't matter, and so depending on what you think the balance is between phishing and malware for stealing credentials and/or monetizing accounts, you have a different set of things to do to make progress. - Andy _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
