beltzner wrote:
But perhaps not the only possible improvement...and most likely not the best one either. After private discussions with some members of this forum, we decided to work on an alternative proposal and put that forward to the Mozilla community. Of course it will be up to the community to decide on it and perhaps improve and shape it...It's by no means a solution. It's by all means an improvement over the status quo.[1]
Of course, any such solution should not come on the expense of affordable certification, otherwise what would you gain with it? Well authenticated certificates should be available for the masses in order to make certification generally more reliable, trusted and used. _This_ EV will not give you, therefore I think that EV is a half-baked solution...
Two-Factor Authentication might be *one* of the solutions to prevent phishing and as I indicated in previous mails, there are yet even more. As European banks move forward to protect themselves and their customers one might hope, that the biggest targets of todays attacks will start to take responsibility and do the same...I agree with pretty much all of these points, and many (all?) banks inEurope are moving to require 2-factor-auth.
OK, if we are at it, can you tell me, why Thunderbird (using 2.0beta) doesn't deactivated any links, once recognized and marked as a scam? Perhaps there is already an open bug for this, else I'll open one...I've also, frequently and loudly, trumpeted that one of the easiest ways to stop phishing would be to educate users to not click on linksin email,
Combine the "special URL" as a part of your authentication might just be one step into the right direction. Obviously not knowing the URL (which is unique for every user) will simply fail every login attempt. As you can see, there wouldn't be a lack of good, workable and effective ideas, would the operators of targeted web sites just get their act together...or even to indicate to users that they only way they should login to a website is by using some special URI that's on the back of their bank card. It's been pointed out to me, of course, that the first time a phisher sent an email with a link in it, a user would most likely ignore all previous training and follow the path of least resistance; that's a pretty hard argument to counter.
Excellent But if we are at it, perhaps lets do it smart, not with a sledgehammer...[1]: I'm not really interested in talking about the financial models, nor the fact that CAs were initially expected to be doing this validation before everything went to hell. We're here now, so I'm interested in making things better.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
