Re: We need an architecture, not finger pointing.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Oct 27, 2015, at 2:17 PM, Christian Huitema <huitema@xxxxxxxxxxxxx> wrote:
Identity checks matter. Lots of the discussion focused on SPAM, but the "acute problem of the day" is actually phishing, and specifically forging a mail that appears to come from someone you trust, to entice you to open a document or visit a URL that you should not. That's a pretty common step in the chain of events that leads to another "42 million user accounts compromised in a breach." 

This is correct.   If I seem a bit strident on this issue, it’s because I’ve actually had a family member personally affected by this problem, in a rather severe way.   The ability to verify that mail actually came from whom it claims to have come is quite important particularly for aging family members who might not not be as good at detecting scams as they once were.   And for that matter, I’ve been momentarily fooled once or twice in recent years—the amateurs give us a false sense of security, but some phishers are _very_ skilled.

Of course, part of this is a UI issue, which is out of scope, but perhaps worth mentioning: MUAs should never present a blinded URL.   If the HTML looks like this:

<a href=""http://nefarious.example.org/QOJWEOJOWJCJ#UR1OJOJFOIJ?hack=yes" class="">http://nefarious.example.org/QOJWEOJOWJCJ#UR1OJOJFOIJ?hack=yes">http://www.example.com/</a>

The user should see this:


I mention this only because PHB brought up architecture and Christian mentioned enticing people to visit URLs.   The definition of "working" has to include not being subject to obvious UI vulnerabilities that are only safe if the end user is Bruce Schneier.   Perhaps we need a Consumer Reports for commonly-used software.

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]