> > ... Trustbar has
> > shown is that it is possible to use cryptography to protect and display
> > the symbol with strength, and thus for users to rely on a simple visual
> > icon to know where they are.
Todd wrote:
> The statement above seems incorrect to me, and
> inconsistent with statements you have made for
> many years.
Well! I don't know about that .. but let's see. The statement made above was purely on the narrow focus of phishing. In your classic phish, the attacker bypasses the SSL/PKI security model completely. Why? Because there is no need to engage it. let's call this a Class 1 Browser MITM.
1st step then is to make sure that the SSL/PKI system is engaged. Which means putting more information on the browser chrome so that the user partakes in this process. Logos, brand, colour. Browser can do this now, by themselves, they just need to expand the padlock.
Then, we have today's story where someone went and acquired a decent certificate. That cert *also* engages the padlock, and even other parts. Let's call this a Class 2 Browser MITM.
So what was different about that cert in comparison to the proper cert? Well, we can imagine that the proper cert was in fact provided by another CA. But the user doesn't know that. Solution? Tell the user. We can do this by putting the CA's name on the chrome - IE7 is trialling this right now, albeit with bugs.
Or we can be more friendly to the user. We can put the logo of the CA on the chrome. The reason for taking this brand thing one step further is that we won't get the schlock that Geotrust came out with today - they would never ever dare to risk this sort of nonsense if their brand was on the chrome of every user's online banking session.
Now, why do we sign it? So that it is the right one. So no phisher can change it. Sure, the phisher can blow away the certificate process. In which case the phisher now _owns the user's machine_. Yeah, nothing can change that except a better machine / better OS.
Fix one problem at a time. Yes, we need a trusted platform. (No, thanks, Microsoft, not *that* one.) But in the meantime, as long as we are talking about the very limited domain of phishing and online banking, let's at least get the browser secured. However, if we are doing real transactions ... that won't be enough. I agree with that.
Posted by Iang at February 14, 2006 12:44 PM