Ian G wrote: > Of those who worked in a business that routinely > checks for identity, etc, has anyone got a feeling > for how easy or hard it is for an attacker to bypass > the system?
Ya' know the more I work on CAcert and developing policies for ID checks the more it occurs to me how fragile the whole ID system is and how easy it is to get round it. I've had people tell me how easy it is to get Dun and Bradstreet information altered in 10 minutes with a simple phone call, the system only works for the most part because it keeps honest people honest... That and you'd have to do a lot of DNS spoofing for it to be of any actual use, so while Nelson's comments on DNS spoofing are valid, how much does it actually occur in reality? (In other words if it was as easy as he was making out phising attacks would utilise it etc) > d) no change at all, or > e) make matters worse? For server certificates I'd be going for d... In future due to the increase in sophistication of spyware/adware I'd be going for e, because once you have proven the email address etc you don't need access to the email address to keep signing code... > d) no change at all, or > e) makes matters worse! See above... > Now, we can fiddle with those choices, and also > fiddle with the money test. I chose phishing because > it's the one with a billion dollar price tag, per annum, > but someone else might choose eavesdopping on > private sex chat for blackmail purposes. Whatever. I thought the FBI already did that, and no telephone was encrypted... :) > It sort of comes down to, is a phisher going to be > deterred by Action A? Since SSL isn't part of most attacks now how is doing any of the above going to solve anything? It should be abundantly clear on my thoughts of the matter, the current system is due to the original concept and how people thought it was going to be implemented and how that isn't the case... > Right. So see above. If you tighten up the requirements, > can you show that they actually slow down the phishing? I think that was my point, tightening up things for SSL only effects the ability for real people to have privacy, it won't stop determined attackers... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
