On 7/10/2014 8:26 AM, David F. Skoll wrote:
On Wed, 9 Jul 2014 17:44:26 -0700 (PDT)
John Hardin<jhar...@impsec.org> wrote:
I'm not excusing their approach, but I'm saying there are a lot of
sources of real-world friction that lead to suboptimal solutions like
this. I expect the desire to avoid requiring installation (and
maintenance!) of PGP/GPG by their (assumed non-technical) customers
is the primary reason they are doing it this way.
Yes.
Symantec is the real culprit here. It is actively encouraging the
compromising of computers with the workflow of its product.
The proper approach would have been to make freely available a
"Symantec Encrypted Archive" viewer, similar to how Adobe makes PDF
readers freely available.
Hold on there a second let's not throw the baby out with the bathwater.
By using PGP they are using an open source encryption algorithm. If
they supply their own encrypted viewer then almost certainly it would be
closed source and there's no way to know if the NSA or some other
malevolent agency inserted a back door - like was done with RSA.
SO I think that using PGP was the right course of action here.
Fundamentally the problem as i see it is lack of verification. You
pointed that out yourself.
A phisher can send an encrypted payload - maybe even encrypted with PGP
with high encryption - that would be unbreakable without the password.
Then they include the password in the phishing email.
As you properly pointed out - this is a lack of verification problem,
NOT a lack of encryption problem.
If Symantec replaces PGP with their own custom thing now your not only
introducing the lack of verification your also introducing unreliability
of encryption, too. Use of PGP is actually the proper thing to do.
Wouldn't the BEST proper approach would be to send out a link
to a SSL webserver where the end user can download the PGP encrypted
self-extractor?
Now yes I know your all gonna say that a phisher can send out the same
emails to their OWN SSL webserver.
But, the moment law enforcement detects this is happening then the
phisher's SSL certificate gets revoked, eh?
After all, that's why we pay Verisign $10,000 a year for their special
commerce SSL certificates, eh?
And when victim of the phish clicks on the SSL link then the browser
sends out alarm bells that the SSL certificate is compromised and not to
go there, eh?
respond carefully - any negative response and your impinging the honor
of our trusted SSL system!!! ;-)
Ted
Symantec of all companies should know better.
---
This email is free from viruses and malware because avast! Antivirus protection
is active.
http://www.avast.com
