On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote:
> In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush
> wrote:
>> more and more these days, i have taken to not clicking the update messages,
>> but going to the web site manyually to get it.
>>
>> waaaay to much phishing, and it is getting subtle and good.
>
> We know how to sign and encrypt web sites.
>
> We know how to sign and encrypt e-mail.
>
> We even know how to compare keys between the web site and e-mail via a
> variety of mechanisms.
>
> We know how to sign DNS.
>
> Remind me again why we live in this sad word Randy (correcly) described?
>
> There's no reason my mail client shouldn't validate the signed e-mail
> came from the same entity as the signed web site I'd previously logged
> into, and give me a green light that the link actually points to said
> same web site with the same key. It should be transparent, and secure
> for the user.
The really hard parts are (a) getting the users to pay attention to the
validation state (or, more precisely, the lack thereof on a phishing
email, and (b) get them to do it *correctly*.
Some of the browser password managers have protection against phishing as
a very useful side-effect: if they don't recognize the URL, they won't pony
up the correct login and password. That's much better than hoping that
someone notices the absence of a little icon that means "this was signed".
The "correctly" part has to do with the PKI mess.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
