- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 30 Jul 2007 20:57:58 -0400
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- CC: public-wsc-wg@w3.org
Stephen Farrell wrote: > > Serge, > > Serge Egelman wrote: >> >> We went over this. The $20 GoDaddy example I cited before. I >> registered a domain and purchased a certificate using PayPal, and it's >> all under Stephen's name. > > <neitherSeriousNorFlippantMockery> > > Same thing was done back in about 98 under Warwick Ford's name and > a number of times before and after. No big deal then. No big deal > now. Sorry if you thought that was cute. > > The issue of what to display is real. Your work there helps. > > Whether a cert costs $20, (or even real money like €20:-) is immaterial. > The fact that it is traceable is significant, and the non-zero cost > means that undirectected attacks on that basis fail to scale. Directed > attacks where each attempt involves either the same server cert or > else a CA interaction can be noticed and hence the $20 or even $0 > cert is accountable, at least as much as needs be. Where is the accountability?? That's my question, and it's taken a flurry of emails, yet no one has answered it. You claim that these certs are accountable, yet you can't say why (though freely admit that phishers could purchase them anonymously). There seems to be a huge disconnect here. > > However, I remain surprised that you keep on about this. Don't most > phishes depend, as you tell us over and over, on the passive indicator > being useless. Yet you suddenly prefer one such over another on > apparently no basis whatsoever. I don't get that. That's still my position. However, you're now talking about making more useless indicators and confusing the small number of users who actually do notice the original ones. Again, how many attacks have you seen that use SSCs? > > </neitherSeriousNorFlippantMockery> > >> Nothing is linked back to me, there is zero >> accountability (BTW: Johnathan said that he'd pull the root if this >> were the case, though I doubt that's happened). > > You think paypal is anonymous? Hmm... No, that wasn't my point. My point is that PayPal accounts are frequently stolen. I can hop on IRC and buy one for a few dollars (same with credit card numbers). If I were seriously doing this as a phisher, there would be no chance of tracing it back to me. Hence, no accountability. If you're saying that the system relies on the accountability of the payment service, then that's a major fallacy. Sure, PayPal or the bank could notify the CA that a stolen account was used to buy the CA, but I doubt they currently do that. And if they did, it certainly isn't going to happen in a matter of hours from the time of the purchase. It'll probably happen outside of the 24 hour window that most phishing sites currently exist for. > >> If I were a phisher, and >> this scheme worked (let's pretend that user's will notice, understand, >> and obey the SSC indicators---which we currently know to not be the >> case), I'd start dropping $20 for each site to get a real CA-signed >> certificate. >> >> The current figures state that phishers make anywhere from $250-1000 >> per victim. Dropping $20 really isn't a big deal. Hell, dropping >> $500 on an EV cert may be worth it, if we can ever come up with useful >> indicators, but that's a different matter... >> >> I really think that we should just classify non-EV and SSC >> certificates as the same thing: only useful for encryption. We show >> an encryption indicator, which will only be noticed by the tech-savvy >> users anyway. > > On what basis do you think that EV certs are better? (Serious question.) > > Didn't you notice the thread where we saw that they need the browser > code to know the funny handshake? (As was the case before with > server-gated crypto. Its a fine, but ultimately silly distinction.) Honestly? I don't think EV is any better. But that's another battle. It's a higher burden, which phishers aren't going to attempt as long as picture-in-picture attacks are successful, as long as users don't notice passive indicators, and as long as you can accomplish the same thing for a fraction of the price. serge > >> And then we primarily focus on consistency. > > There you do have a point. As with user attention. > > But you are off base in terms of PKI. > > S. > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Tuesday, 31 July 2007 00:58:13 UTC