On 2/9/07, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote:
One of the arguments in favor of of a special treatment for the EV certification has been that of prevention of phishing, which I cited as
Yup, and that's more of a UI-related issue, IMO. EV gives browser manufacturers more reliable information about the identity of the endpoint, but it's going to be up to those browser manufacturers to figure out how to expose/leverage that information to protect users from phishing. It's by no means a solution. It's by all means an improvement over the status quo.[1]
sites have the solution to this problem at their fingertips and that the browsers of today provide enough capabilities for the implementation of better security and prevention of phishing attacks. Dan Goodin seems to
I agree with pretty much all of these points, and many (all?) banks in Europe are moving to require 2-factor-auth. Thanks for the link to the article, Eddy. I've also, frequently and loudly, trumpeted that one of the easiest ways to stop phishing would be to educate users to not click on links in email, or even to indicate to users that they only way they should login to a website is by using some special URI that's on the back of their bank card. It's been pointed out to me, of course, that the first time a phisher sent an email with a link in it, a user would most likely ignore all previous training and follow the path of least resistance; that's a pretty hard argument to counter. Still, I think it would be yet another improvement over the status quo if we could get companies to stop building the expectation that they'll communicate with their customers via email. cheers, mike [1]: I'm not really interested in talking about the financial models, nor the fact that CAs were initially expected to be doing this validation before everything went to hell. We're here now, so I'm interested in making things better. -- / mike beltzner / phenomenologist / mozilla corporation / _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
