Gervase Markham wrote:
Ian G wrote:
Yes, that may lock down the homograph thing, but it
does nothing to address the wider class of attacks.
Indeed not. Did I say it was the only solution? I was merely commenting
on your use of the Shmoo example.
OK. To declare: when I mention the Shmoo thing I mean
as an example of the wider attack. IMO mentioning the
Shmoo thing with only relevence to IDN is silly, as the
IDN thing has never been attacked by aggressive people
looking to steal money. It's way too new to be relevent,
and there are easy pickings elsewhere.
I'm confused by one thing. Why is it that the Shmoo
IDN bypassing was so strongly reacted to, when the
whole phishing thing has been going on for years now,
and has not received even a tenth as much recognition
as Shmoo achieved in a weekend?
In a nutshell, because the Shmoo group exploit makes this:
http://www.gerv.net/security/stay-safe/
not true. For that reason, "the Shmoo attack" is _not_ a shorthand for a
whole wider class of attacks.
I can think of 3 other ways that the above page is
"not true."
1. paypal's CA issues a false cert
2. any other CA issues a false cert
3. any CA issues a cert to paypa1.com,
or anything that looks the same in the font,
like wwwpaypal.com
4. user doesn't notice the change
That's a class of attacks. Shmoo just happened to do it
one way. So I feel my question remains unanswered, but
the night is young :-)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
