RE: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dean, this is very helpful. Thank you!
Parry
-----Original Message-----
From: Dean Anderson [mailto:dean@xxxxxxx] 
Sent: Monday, December 22, 2003 3:20 PM
To: Parry Aftab
Cc: ietf@xxxxxxxx
Subject: RE: [Fwd: [isdf] need help from the ietf list...can someone
post this for me? or allow me to post directly?]

On Sun, 21 Dec 2003, Parry Aftab wrote:

> If not to protect them, how can you verify that s site is not being
> spoofed, technically?

When you connect to a secure website, you can examine the SSL
Certificate
for the site, usually by clicking on the "lock" symbol on many browsers.

People should learn how to do this, and make it a habit of doing so when
they connect to secure sites, so they recognize when something changes.

Unfortunately, like other components of scams, the certificate might
have
a similar sounding name You think you've got (eg paypal.com), but you
got
Paypal-business.com. The certificate (we assume for argument) really
does
belong to an entity called paypal-business.com, but is
paypal-business.com
the same as paypal?  You don't know.

The best thing to do is start from (eg) paypal.com from your account
statement, etc, and examine the site certificate.  Then you have a good
chance that it is not spoofed. But it is only a chance, as it could
still
be spoofed in various ways. There are lots of scenarios for this:  But
here's one:  Your computer could be infected with a virus which
installed
a web proxy--then the attacker sends you a message to go update your
stuff. You type in paypal.com, but your infected browser goes to the
fake
site instead.  When you try to view the certificate, your infected
browser
shows you the real certificate information.  You can't easily know this
didn't happen.  But examining the certificate is a good practice.

So there are things to do that will make the con-artist's job harder,
but
you can't make it impossible to be conned.  But hopefully, the police
will
be able to track down the con-artists, and by doing so, will deter
others.  
There is no perfect system, so we can't give any assurances that there
is
a perfect system.  Nor is the case that if you do or don't do certain
things, you can't be victimized.  The best we can do is tell people to
use
their common sense, so they aren't victimized by the lowest-grade of
con-artists.

The issue is not a technical issue, but a social and policy issue. You
can
also be sure, as a point of policy, that if the law enforcement
community
doesn't reactly swiftly and harshly to cons and frauds, then the
lowest-grade cons will be attracted to the internet, where experience
and
close calls will improve their skills.  A large number of high-grade (by
that I mean very sophisticated) con-artists would be a disaster.  A
large
number of low-grade con-artists creates momentum for increases in the
number of high-grade con-artists.  The policy implications are clear.

Law enforcement tends to focus on the most serious criminals: Bank
robbers
who take control of a bank and enter the vault get more attention than
the
person who passes a note to a teller.  This is good policy, but the
"note
passers' who rob real banks aren't completely ignored.  In contrast, in
the virtual world, that's just what's been happening:  'note-passers'
are
ignored altogether until they graduate to the major 'seizing control'
level.  This is bad policy.

Consider the microsoft worm perpetrator who coincided with the East
Coast
Blackout. When it was suspected that it might be related to the
blackout,
the police found this guy right quick. It is not hard to track these
things down with law enforcement powers.  But nearly all virus operators
are ignored, even when reported.

I operate an ISP in Boston.  I've reported several computer breakin's
over
the years the Feds. They take the report and nothing happens. Now, I
don't
bother. I have enough to do.  By trial and error, the crackers and 
con-artists get better.   

		--Dean





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]