On Sun, Sep 11, 2011 at 10:45 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > "James A. Donald" <jam...@echeque.com> writes: >>On 2011-09-11 9:10 AM, Andy Steingruebl wrote: >>> 1. Phishing isn't the only problem right? >>> 2. To some degree this is a game where we have to guess their next >>> step, and make that harder too. >> >>If we were doing something about their first step, then it would be necessary >>to guess their next step. > > My point exactly. We can start debating what type of lock to put on the barn > door once we add a door.
Several things already in place and/or in progress: 1. DKIM 2. ADSP (or replacement) 3. Email security indicators research - do they help, hurt, or do nothing. I don't think existing work on other browser security indicators aren't perfectly relevant in this space. For an example of what I mean - http://www.iconix.com/ , but both Google and Yahoo have experiments that are similar. 4. Non-stealable "credentials". A much longer/harder problem. Even with these of course attackers can steal other things of value... That said, I think phishing against some folks is actually in serious decline, and we're pushing the attackers away from phishing and towards other things. Data is of course notoriously hard to get on this front. BTW, lest you be confused about some other reported metrics, check here: http://www.thesecuritypractice.com/the_security_practice/2011/02/phishing-metrics-demystified.html - Andy _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography