Guys,
this will be my last post, for reasons that I hope are
clear. If anyone wants to discuss phishing, let me
know. I'm hopeful a specialist list for cross-fertilisation
of phishing efforts will pop up soon.
On Saturday 25 June 2005 23:07, Gervase Markham wrote:
Ian Grigg wrote
Ian Grigg, Pareto-Secure
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
in Financial Cryptography, Issue 1:
https://www.financialcryptography.com/mt/archives/000458.html
Daniel Nagy, On Secure Knowledge-Based Authentication
Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products
Ian Grigg, Pareto-Secure
, Avoiding Liability: An Alternative Route to More Secure Products
Ian Grigg, Pareto-Secure
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
Products
Ian Grigg, Pareto-Secure
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
Although Gerv's worked on me hard, it seems that the
essence of this border crossing model idea has
survived in this forum.
Calling for votes for or against from all lurkers,
which I'll take back to the relevant bug for
consideration there.
What is the statement that people are voting
Peter 128 128 128 128 128 128 128 128 128 128.
[Snip]
Ignore the numbers, concentrate on the security.
iang 128 ^ 128 (my 128 is better than your 128)
Actually you should have used 128+1, because real cryptographers' keys go to
129.
LOL... For those who do not understand the
reference,
A much more reasonable article about the interplay
between Firefox and IE especially w.r.t. security.
http://news.bbc.co.uk/2/hi/technology/4472219.stm
Other than the obvious stuff about FOSS being good,
he suggests that the real impact is in forcing Microsoft
to address security.
This all
Ian Grigg wrote:
I am not suggesting that we make any assurances that the CA is not
making; I am suggesting we more clearly represent the CAs position in
the UI. As you know, CAs take different positions on this issue.
Right. So there needs to be an easy way to
show the CA / position
Ian G wrote:
As a consumer you want someone else to promise you
it's safe. As a supplier, you would be utterly
insane to do that, without doing a lot of acturial
(insurance) calculations up front and taking twice
the likely amount as a premium.
I am not suggesting that we make any
Ian Grigg wrote:
snip
It's really easy to offer a solution: download Firefox, and buy a Mac.
But this is like asking a snail to become a hedgehog; it is simply
out of the budget of way too many users to rush out and buy a Mac.
Those that can do so, do so!
snip
I'm probably going
I can
see your point to some extent. There's also the You'd be amazed what
people will do to save a dollar factor though and for the vast majority
of people that just browse and do email a recent linux distribution
(with some MINOR tech support from son/daughter/friend/etc) would be
able to
Hi Nelson!
1. The reason there is a strong dominating player at
the moment is because there is no way to compete.
But the reason there's no way to compete is due to whose root certs are
in the main browsers, not any other reason like branding or lack of it.
What are you guys smoking?
Ian Grigg wrote:
1. The reason there is a strong dominating player at
the moment is because there is no way to compete.
But the reason there's no way to compete is due to whose root certs are
in the main browsers, not any other reason like branding or lack of it.
Yes, the reason
Ian Grigg wrote:
(Just briefly, the Certificate Authority needs to be shown.
How exactly does this help the average user, who has no idea who
Verisign are, and whether they should be trusted any more than
VirtuaRoot (a name I just invented)?
Good question. The answer: Branding. VeriSign
FTR (1)! iang
(( Financial Cryptography Update: 2004 - The Year of the Phish ))
December 01, 2004
http://www.financialcryptography.com/mt/archives/000262.html
FTR (2)! iang
(( Financial Cryptography Update: 2005 - The Year of the Snail ))
December 01, 2004
http://www.financialcryptography.com/mt/archives/000263.html
Nelson Bolyard wrote:
I suspect there's been a misunderstanding here. I took Ian's One
supposes
remark as an unfinished sentence, and so did not attempt to interpret it.
I was thinking out aloud, and expecting to get
shot down in flames. You were right to ignore
it :)
Jean-Marc seems to have
Amir,
picking up a debate earlier this month around the forthcoming
paper on spoofing:
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
Amir Herzberg wrote:
I still don't see why the same corporation needs multiple SSL
certificates. Why??
...
On this one point - I'm unsure
Amir Herzberg wrote:
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
Right, that idea. A couple of things - it's called a petname
which has a defined meaning, you can probably google for the
defining paper. It is a name that is explicitly not shared
with the rest of the world,
Amir Herzberg wrote:
Ian Grigg wrote:
http://www.financialcryptography.com/mt/archives/000179.html
Yes, the FavIcon can become a real favorite with conmen and phishers...
But I think the real use would not be to present SSL icon where it is
not really used; as I found, many `serious` web sites
( Financial Cryptography Update: New Attack on Secure Browsing )
July 15, 2004
http://www.financialcryptography.com/mt/archives/000179.html
Amir Herzberg wrote:
We have created a Mozilla extension that creates a secure, Trusted Logo
and Credentials Area, which displays logos and other credentials of the
site. We believe this helps protect web users, even naive users, against
spoofing and phishing attacks. We are still playing with
[Guys, I've added the mozilla-security group to this thread.
We are discussing this proposal:
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm ]
Amir Herzberg wrote:
Ian, I mostly agree; in particular, I agree that the fact that
(all/most/many/some...) browsers will display the CA
24 matches
Mail list logo
