Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread Eric Rescorla
Ian Grigg [EMAIL PROTECTED] writes: Notwithstanding that, I would suggest that the money already lost is in excess of the amount paid out to Certificate Authorities for secure ecommerce certificates (somewhere around $100 million I guess) to date. As predicted, the CA-signed certificate

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread John Levine
But is it so harmful? How much money is lost in a typical phishing attack against a large US bank, or PayPal? A lot. According to people at the anti-phishing conference earlier this year, six-figure losses are common, and seven-figure not unknown. The kind of phishes we all see, trolling for

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread Ian Grigg
Eric Rescorla wrote: Ian Grigg [EMAIL PROTECTED] writes: Notwithstanding that, I would suggest that the money already lost is in excess of the amount paid out to Certificate Authorities for secure ecommerce certificates (somewhere around $100 million I guess) to date. As predicted, the CA-signed

Re: On `SSL considered harmful`, correct use of condoms and SSL abuse

2004-07-18 Thread Ian Grigg
Amir Herzberg wrote: (Amir, I replied to your other comments over on the Mozilla security forum, which is presumably where they will be more useful. That just leaves this:) So while `SSL is harmful` sounds sexy, I think it is misleading. Maybe `Stop SSL-Abuse!` Ha! I wondered when someone would

Re: dual-use digital signature vulnerability

2004-07-18 Thread Anne Lynn Wheeler
At 01:33 AM 7/18/2004, Amir Herzberg wrote: I don't see here any problem or attack. Indeed, there is difference between signature in the crypto sense and legally-binding signatures. The later are defined in one of two ways. One is by the `digital signature` laws in different countries/states; that

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread Anne Lynn Wheeler
At 05:55 PM 7/17/2004, Eric Rescorla wrote: Now, my threat model mostly includes (1), does not really include (3), and I'm careful not to do things that leave me susceptible to (2), so SSL does in fact protect against the attacks in my threat model. I know a number of other people with similar

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread John Denker
Enzo Michelangeli wrote: Can someone explain me how the phishermen escape identification and prosecution? Gaining online access to someone's account allows, at most, to execute wire transfers to other bank accounts: but in these days anonymous accounts are not exactly easy to get in any country,

Re: dual-use digital signature vulnerability

2004-07-18 Thread Anne Lynn Wheeler
the fundamental issue is that there are infrastructures using the same public/private key pair to digital sign 1) random authentication data that signer never looks at and believe is of low value ... if they connect to anybody at all ... and are asked to digitally sign some random data for

Re: dual-use digital signature vulnerability

2004-07-18 Thread Sean Smith
at the NIST PKI workshop a couple months ago there were a number of infrastructure presentations where various entities in the infrastructure were ...signing random data as part of authentication protocol I believe our paper may have been one of those that Lynn objected to. We used the

Re: Using crypto against Phishing, Spoofing and Spamming...

2004-07-18 Thread Ian Grigg
Enzo Michelangeli wrote: Can someone explain me how the phishermen escape identification and prosecution? Gaining online access to someone's account allows, at most, to execute wire transfers to other bank accounts: but in these days anonymous accounts are not exactly easy to get in any country,

Re: dual-use digital signature vulnerability

2004-07-18 Thread Anne Lynn Wheeler
At 10:36 AM 7/18/2004, Sean Smith wrote: In SSL and TLS, the client isn't signing random data provided by the adversary. Rather, the client is signing a value derived from data both the client and server provide as part of the handshake. I do not believe it is feasible for a malicious server

Re: dual-use digital signature vulnerability

2004-07-18 Thread Sean Smith
it isn't sufficient that you show there is some specific authentication protocol with unread, random data ... that has countermeasures against a dual-use attack ... but you have to exhaustively show that the private key has never, ever signed any unread random data that failed to contain