[Asrg] mail security

Ian Eiloart iane at sussex.ac.uk
Tue Jan 20 08:35:11 PST 2009 


--On 20 January 2009 10:50:05 -0500 John Leslie <john at jlc.net> wrote:

> John Levine <johnl at taugh.com> wrote:
>>
>> Let's say you get a message from security at pay-pal.com, which is 100%
>> DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
>> short of manually looking up WHOIS registrations?

Well, without all those technologies, it's simple to simply use paypal's 
domain. Then there's no clue. Now, if you use a look-alike domain name, 
then you're probably violating the trademark. That's illegal, so your ESP 
and your mail client will be quite justified in looking for domains that 
are similar to ones that you trust. That list might come from several 
sources - trademark registrars, your address book, your whitelist, and so 
on.

>    Most folks couldn't tell if they _did_ look up WHOIS -- so at first
> blush I'd say that's the wrong question.
>
>    Let's think about it differently.
>
>    Why does phishing work?
>
>    It works because the security of financial transactions depends on
> obviously insecure passwords (anything simple enough for average folks
> to remember _must_ be insecure) entered onto loosely secured websites.
>
>    Compare that to ssh. Is there a record kept of what certificate is
> used? Are there obvious warnings when you start a session with a
> server whose certificate you've never seen before? Or even a warning
> when the certificate changes?
>
>    More to the point: why do financial institutions depend upon code in
> browsers instead of calling a separate application for authentication?

Because, when the security is breached the customer pays. That needs to 
change. Make the banks liable for frauds that are committed against them, 
and then they'll start taking it seriously. They'll block insecure 
browsers, and the browser authors will be forced to catch up.

The downside is that it's their poorest customers who may be forced to pay 
for hardware or o/s upgrades. There's also a risk that they might decide to 
only support one browser.

> The quality of security in browsers varies from barely adequate to
> downright laughable (with a lot of customers using outdated browsers
> closer to the laughable end of that range).
>
>    Is there actually any point in trying to solve phishing issues by
> verifying the origin of email if the customer is going to depend on
> a known-insecure web-browser?
>
> --
> John Leslie <john at jlc.net>
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list