Re: Can crypto help against Phishing, Spoofing and Spamming...

2004-07-14 Thread Amir Herzberg
John Levine wrote:
Reminder: following lots of discussion on this list, I wrote proposals
on how crypto can help solve phishing, spoofing and spamming problems.
...
# Protecting (even) Naive Web Users, or: Preventing Spoofing and
Establishing Credentials of Web Sites, at
http://eprint.iacr.org/2004/155/ (or off http://AmirHerzberg.com)
This is a pretty good paper.  It outlines the problem and proposes
that browsers add a trusted credential area that displays a site
logo that has to be signed by a CA using SSL, in a way that is hard to
spoof or forge.
Thanks! But, our prototype (for Mozilla) allows you also to select the 
Logo (or icon) for the site manually, although having it already signed 
by a trusted authority could be nice. Also: the trusted area can also 
display other credentials of the site, and in particular - logo and/or 
name of the CA.
I've been discussing a similar idea with a lot of people that has one
important difference: the seal belongs to the CA and is distributed as
part of the verification certificate.  Per-site logos have the
disadvantages that there are a lot of sites, not all with famous
logos, and there are a lot of CAs, most of whose primary verification
technique is to be sure your check didn't bounce.
I completely agree that existing CA solution in browser is lousy; did 
you notice that the main requirement to become a CA is to be a CPA 
(certified public accountant) and pay 1400$ to WebTrust? (more in paper)
That's why manual logo approval by the users is an important first step 
(works great - I don't know how I ever used e-banking without it). 
Second step may be for users to share these user-certified logos, and 
finally - for some trustworthy organizations to provide logo certificates.
In most industries there is a regulator or trade association who
already knows who the legitimate players are.  That's who should be
running the CA for that industry, with an industry wide logo that they
could advertise, something like a golden dollar sign that tells you
that a site is really a bank.  I spoke briefly to a guy from the FDIC
at last year's antiphishing meeting who said they'd been thinking of
something like that.
Agree! We call this a credential, see in paper or just this screen shot 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image006.gif
--
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography  
security)
begin:vcard
fn:Amir  Herzberg
n:Herzberg;Amir 
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:[EMAIL PROTECTED]
title:Associate Professor
tel;work:+972-3-531-8863
tel;fax:+972-3-531-8863
x-mozilla-html:FALSE
url:http://AmirHerzberg.com
version:2.1
end:vcard



Can crypto help against Phishing, Spoofing and Spamming...

2004-07-09 Thread Amir Herzberg
Reminder: following lots of discussion on this list, I wrote proposals 
on how crypto can help solve phishing, spoofing and spamming problems.

Apparently few had problems downloading the PDF files from our (BIU) 
site.  so I've put both papers in ecrypt (which I believe is more 
reliable), and also, I've put HTML version in our site.

So, I apologize for the inconvenience if you tried before and got 
nothing, but these links should work fine, and I am very interested in 
your feedback:

# Protecting (even) Naïve Web Users, or: Preventing Spoofing and 
Establishing Credentials of Web Sites, at 
http://eprint.iacr.org/2004/155/ and 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/Spam.htm

# Controlling Spam by Secure Internet Content Selection, at 
http://eprint.iacr.org/2004/154/ and 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/Spam.htm

--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography  
security)
begin:vcard
fn:Amir  Herzberg
n:Herzberg;Amir 
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:[EMAIL PROTECTED]
title:Associate Professor
tel;work:+972-3-531-8863
tel;fax:+972-3-531-8863
x-mozilla-html:FALSE
url:http://AmirHerzberg.com
version:2.1
end:vcard