On Thursday 09 June 2005 00:16, Gervase Markham wrote: > Ian G wrote: > > OK, so I hope you don't mind but I have to suggest > > that this approach is a mistake, IMO. What is required > > here is experimentation. Move forward and if it fails then > > rip it out and say "sorry". So what? It's hardly likely > > to make phishing any worse. > > I don't agree - it will make things worse. Lack of consistency between > browsers, and between different versions of the same browser, leads to > user confusion and makes it hard to have a simple user message. > > If a bank has to say: > > "If you are using Firefox 1.0, it looks like this. You need to do X to > be secure. However, in Firefox 1.1, there's this different thing, and > Firefox 1.2 has half of that, but it's changed so it now works > differently..." then it's an absolute nightmare.
It is already an absolute nightmare. Practically all the instructions that are put out now are wrong at some level or other. Adding more instructions or hoping for better instructions isn't going to help any. What we have to deal with here is the fact that users basically will (and should) ignore instructions from security people because they have been proven to be less than efficacious in the past. Which isn't to say that we shouldn't instruct users on how to deal with one particular tool. But it does mean that any unified approach is not going to work. > A user message of the approximate level of simplicity of "look for the > lock" is a key route towards defeating phishing. We need something that > browser makers, banks, merchants, CAs and consumer groups can all shout > from the rooftops. Well, I hate to be the wet blanket again, but .... I've been working on phishing for 2.5 years now. Here's how I see it. I know it's not "just me" because I've watched what happened to the others and the experience is the same. I started working on the cryptographers back at the beginning of 2003, when I realised that there was a nexus between the security model flaws and an actual in-the-flesh attack going on... In that time I count myself lucky that the people who were flaming me for all of 2003 and most of 2004 are now admitting that phishing exists in their presentations to conferences. Just "exists". *No more*. Not what to do about it, not who's to blame, not a hint of a solution. In 1.5 years in this forum, we have not even got Mozilla to say in any frank sense that phishing is a problem ... let alone how to deal with it. We're still having discussions on whether there is even a place or relevance to this level of issue. Heikki has suggested that staff isn't ready for it and to move it back to npm which implies that security isn't ready for it either. .... And he's not wrong, coz the day someone is ready to seriously start talking and dealing and thinking about phishing, then they'll say so. What does this mean? It means that even though we have all spent huge efforts in trying to get some action, Mozilla's house is not in order. Now consider that Mozilla's house supposedly has no commercial agenda. Compare that to groups that have a commercial agenda. What chance does anyone have of bringing banks, browser makers, merchants, CAs, and anyone else together? None unless it is a violent process (and that is not ruled out at this point...) in which case by definition everyone is going to be disagreeing. (I'm talking about judicial processes here - suits, litigation, etc, which is in the starting throes at the moment, but the prosecutors and class action attornies have not as yet found legal theories to back up their desires.) The reason why you won't get anyone to agree on anything to do with phishing is very simple - money. Both liabilities backwards (huge!) and profits forward (huge!). No commercial player is going to say "oh, yes, we'll just sign up to that plan ... and ditch all our ideas and also allow ourselves to be setup for future liability as well as maybe past liability ..." (Companies have been madly patenting stuff for a couple of years now ...) It's just a non-starter. Which leaves the market. Some amount of market bashing must occur, so as to overcome the natural fear and rejection of being handed someone else's solution. A winner must emerge. Which means losers must be well and truley beaten to a pulp. For that process to happen, proposals must go out there and get beaten to a pulp. Amir, Ahmad, Tyler, Ping, Doug (is it Doug?) Tygar, the Netcraft guys, the Comodo guys, they all know that. They know that their proposals are going to be torn to pieces in the competitive process. But they also know that's the only way forward. This won't be a "consensual" process. It will be more like pillaging and rampant destruction - every one of these proposals goes out there saying "This will address phishing" and every one of them is playing with the user's risks. That's the way it has to be - we have to try it in the marketplace and find out who doesn't get eaten alive. The only good thing we can say about this is the quicker the better; at $3m per day in losses, we just lost a huge hunk again today in talking about it. There is no other way. We already know that nobody here knows how to solve the problem definitively. We already know that papers and tests have been done since as far back as 1997. There is no point in asking for more papers and more trials and more evidence. Not unless you actually want to delay things by another day (3m per) or another year (1.2 billion dollars per). The way forward is lots of different ideas and lots of different experiences. Make some mistakes. Say sorry and fix it. Wow, that was more of a rant that I intended. Oh well, enjoy ! iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
