Re: Stopping (https) phishing

On Thu, Jul 12, 2018 at 12:06 PM Henry Story <henry.story@bblfish.net>
wrote:

>
>
> On 12 Jul 2018, at 15:34, Dave Crocker <dcrocker@gmail.com> wrote:
>
> On 7/12/2018 5:19 AM, Henry Story wrote:
>
>   I have recently written up a proposal on how to stop (https) Phishing,
>
>
>   http://craphound.com/spamsolutions.txt
>
> originally written for email, but it applies here, too.
>
>
> :D
>
> But, not really: The architectural difference between the web and e-mail
> are very
> big. Furthermore the problems looked at are completely different: that
> questionnaire
> is for spam, and this is a proposal against phishing.
>

These problems are more similar than different, and what Dave linked to is
just as applicable. They share complex social and political issues, and
technologists that ignore that are no doubt likely to be ignored.

Then the type of solution I provide is very unlikely to have ever been
> thought of pre-web, given the type of technologies involved. Also I have
> spoken to people from Symantec and presented this at the cybersecurity
> Southampton reading group, and so it has had some initial tyre
> kicking already.
>

Given the lack of familiarity with Gutmann’s work, which in many ways has
served as a basic reader into the PKI space, I would be careful about
speculating about what ideas may or may not have been considered.
Similarly, given that Symantec has left the PKI business after a series of
failures, it’s unclear if you’re speaking of the current entity or the
former.

The question of an interrelated distributed set of links - and of authority
for different name spaces - is not new or original in this space. It’s true
whether you look at the Web of Trust or when you consider the PKI’s support
for mesh overlays with expressions of degrees of reciprocality of trust.

Similar, the suggestion of recognizing the different “organs”, as you
suggest, for different degrees of validation is also not new. You can see
this from the beginning of the X.509 discussions, in which ITU-T would
maintain a common naming directory from which you could further express
these links in a lightweight, distributed directory access protocol.

There is, underneath it all, a flawed premise resting on the idea that
X.509 is even relevant to this, but that criticism could easily occupy its
own voluminous email detailing the ways in which certificates are not the
solution here. The basic premise - that what we need is more information to
present to users - is itself critically and irredeemably flawed.


> Philosophically the answer presented is very different too. You can see
> that with
> the first line of that "questionnaire"
>
>    Your post advocates a
>    ( ) technical ( ) legislative ( ) market-based ( ) vigilante
>    approach to fighting spam.
>
> The approach  here is none of those: it is organological [1], in the sense
> that it is
> thinking of the problem from an approach that takes the body politic (the
> organs of the state),
> law, the individual  and technology into account as forming a whole that
> co-individuates itself.
> So to start it does not fit first choice box...
>

> But you don't need to understand that philosophy to understand the
> proposal. You just
> have to be open to new possibilities. I
>
> Henry
> http://bblfish.net/
>
> [1] There was a conference on this here for example.
>
> http://criticallegalthinking.com/2014/09/19/general-organology-co-individuation-minds-bodies-social-organisations-techne/
>
>
> And fwiw, for any UX issue, there is no certitude in the absence of very
> specific testing.
>
>
> Yes of course. I do go more carefully into the problem with the https UX
> here
>
>
> https://medium.com/@bblfish/response-to-remarks-on-phishing-article-c59d018324fe#1a75
>
> I argue there with pictures to go along, that the problem is that there is
> not enough information
> in X509 certificates for it to make sense to users. Even in EV certs. What
> is needed is live
> information.
>
>
>
> d/
> --
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
>
>
>