Re: Stopping (https) phishing from Henry Story on 2018-07-12 (public-web-security@w3.org from July 2018)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 12 Jul 2018 19:06:00 +0200
To: Dave Crocker <dcrocker@gmail.com>
Cc: public-web-security@w3.org
Message-Id: <1F6F3F23-F6D9-4359-80B2-39BE80CF02A9@bblfish.net>

> On 12 Jul 2018, at 15:34, Dave Crocker <dcrocker@gmail.com> wrote:
> 
> On 7/12/2018 5:19 AM, Henry Story wrote:
>>   I have recently written up a proposal on how to stop (https) Phishing,
> 
>   http://craphound.com/spamsolutions.txt
> 
> originally written for email, but it applies here, too.

:D 

But, not really: The architectural difference between the web and e-mail are very
big. Furthermore the problems looked at are completely different: that questionnaire 
is for spam, and this is a proposal against phishing.

Then the type of solution I provide is very unlikely to have ever been
thought of pre-web, given the type of technologies involved. Also I have
spoken to people from Symantec and presented this at the cybersecurity
Southampton reading group, and so it has had some initial tyre 
kicking already.

Philosophically the answer presented is very different too. You can see that with 
the first line of that "questionnaire"

   Your post advocates a
   ( ) technical ( ) legislative ( ) market-based ( ) vigilante
   approach to fighting spam.

The approach  here is none of those: it is organological [1], in the sense that it is 
thinking of the problem from an approach that takes the body politic (the organs of the state), 
law, the individual  and technology into account as forming a whole that co-individuates itself. 
So to start it does not fit first choice box...

But you don't need to understand that philosophy to understand the proposal. You just
have to be open to new possibilities. I

Henry
http://bblfish.net/ <http://bblfish.net/>

[1] There was a conference on this here for example. 
 http://criticallegalthinking.com/2014/09/19/general-organology-co-individuation-minds-bodies-social-organisations-techne/

> 
> And fwiw, for any UX issue, there is no certitude in the absence of very specific testing.

Yes of course. I do go more carefully into the problem with the https UX here

https://medium.com/@bblfish/response-to-remarks-on-phishing-article-c59d018324fe#1a75

I argue there with pictures to go along, that the problem is that there is not enough information
in X509 certificates for it to make sense to users. Even in EV certs. What is needed is live
information. 

> 
> 
> d/
> -- 
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net

Received on Thursday, 12 July 2018 17:06:27 UTC