Re: Stopping (https) phishing

> On 12 Jul 2018, at 17:57, Dean Pierce <pierce403@gmail.com> wrote:
> 
> I think for any solution to be scalable it needs to be community driven with a lot of agility and flexibility.  I really like some of the attempts at Web of Trust style solutions, but it's really hard to figure out how to incentivize good behavior in such a way that can't just as easily be gamed by criminals to boost the reputation of fraudulent sites. 

yes, if you have a web of trust in the PGP style between individuals then there is a limit to the growth of the system.
I wrote this up just recently in "Why did the PGP web of Trust fail"
https://medium.com/@bblfish/what-are-the-failings-of-pgp-web-of-trust-958e1f62e5b7 <https://medium.com/@bblfish/what-are-the-failings-of-pgp-web-of-trust-958e1f62e5b7>

The short is that in PGP I can vouch for very little, say that you have a name. But that requires a skill
to verify names which is not as easy as it may seem. I may vouch for your name but that does not make
you a good name voucher. So it is not easy to get transitivity in attribute verification.

This is more obvious if we go beyond names, say to statements certify that you can drive.
It is clear immediately that there are institutions that provide that, such as the Department of Motor Vehicles. 
Indeed, institutions are knowledge organisations, each one specializing in a different type of knowledge. 
These are parts of institutional web of trusts and we are part of these institutions.

> Still, I feel like some sort of fuzzy community reputation based solution is the only approach that makes sense.  The great thing about that is even if a fully trusted, legitimate site gets hacked and starts serving malware, its reputation could nosedive over the course of minutes, and quickly protect additional users from getting pulled in.  I'd like to see green address bars for well trusted sites, maybe grey for unpopular websites, and dark red for sites that have been judged by the community to be malicious.  Maybe some browsers could even automatically block sites whose reputation drops below a certain threshold.

I also think those can be used. 

But we also have legal systems to help us with this kind of thing, and these have systems
that are built on reputation, but go far beyond it. They require evidence, claims, counterclaims, 
the law and so on. I think the problem is that we have not been using
the institutions of knowledge which our civilization developed over 3000 years. 
These are community forming institutions.

Henry

> 
>   - DEAN
> 
> On Thu, Jul 12, 2018 at 5:21 AM Henry Story <henry.story@bblfish.net <mailto:henry.story@bblfish.net>> wrote:
> Dear Web Security group members,
> 
>   I have recently written up a proposal on how to stop (https) Phishing,
> which has grown 6 fold in the past year according to the Anti Phishing 
> Working Group, and a lot more according to Symantec researchers I talked to
> recently. 
> 
> I am looking into this as part of my PhD at Southampton, which is a mix
> between Web Science, Cybersecurity and Social Machines. Bringing these
> fields together opens up as I believe you will see reading this, new ways
> of thinking of problems that have been dogging us for a while.
> 
>   https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9 <https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9>
> 
> There is also a response to a couple of questions by Ben Laurie on Twitter
> where I go into a bit more detail on how this solves the UI part of the
> problem.
> 
>   https://medium.com/@bblfish/response-to-remarks-on-phishing-article-c59d018324fe <https://medium.com/@bblfish/response-to-remarks-on-phishing-article-c59d018324fe>
> 
> I am very keen to hear your feedback on this. As TPAC will be in Lyon which
> is a reasonable distance from where I live I may be able to make it there
> to talk about improvements on this proposal following your feedback.
> 
> Sincerely,
> 
>   Henry Story
>   http://bblfish.net/ <http://bblfish.net/>