On Feb 10, 2012, at 12:37 01PM, Leo Bicknell wrote: > In a message written on Fri, Feb 10, 2012 at 09:29:30AM -0800, Randy Bush > wrote: >> more and more these days, i have taken to not clicking the update messages, >> but going to the web site manyually to get it. >> >> waaaay to much phishing, and it is getting subtle and good. > > We know how to sign and encrypt web sites. > > We know how to sign and encrypt e-mail. > > We even know how to compare keys between the web site and e-mail via a > variety of mechanisms. > > We know how to sign DNS. > > Remind me again why we live in this sad word Randy (correcly) described? > > There's no reason my mail client shouldn't validate the signed e-mail > came from the same entity as the signed web site I'd previously logged > into, and give me a green light that the link actually points to said > same web site with the same key. It should be transparent, and secure > for the user.
The really hard parts are (a) getting the users to pay attention to the validation state (or, more precisely, the lack thereof on a phishing email, and (b) get them to do it *correctly*. Some of the browser password managers have protection against phishing as a very useful side-effect: if they don't recognize the URL, they won't pony up the correct login and password. That's much better than hoping that someone notices the absence of a little icon that means "this was signed". The "correctly" part has to do with the PKI mess. --Steve Bellovin, https://www.cs.columbia.edu/~smb