[cap-talk] Firefox breaks the principle of identifiability

[Ben Laurie]

Tyler Close wrote:
> On Feb 7, 2005, at 6:54 PM, Ben Laurie wrote:
> 
>> Tyler Close wrote:
>>
>>> Petnames solve this problem by eliminating the name conflation. A
>>> separate namespace is used to identify trust relationships. This
>>> namespace is managed solely by the user's browser, thus eliminating the
>>> potential attacker from the name recognition process. That's how the
>>> petname toolbar solves the phishing problem, both in theory and in
>>> practice.
>>
>>
>> So how, in this system, does the user come to trust Paypal (as opposed 
>> to someone pretending to be Paypal)?
> 
> 
> Before getting into the mechanics of introduction, it is important to 
> realize that introduction has nothing to do with phishing. In a phishing 
> attack, a spoof site impersonates a trusted site so as to intercept the 
> high value communications between the user and the trusted site. The 
> introduction and creation of a trust relationship has already occurred, 
> and the phisher is trying to subvert this existing relationship. To 
> defend against phishing, we need only prevent subversion of existing 
> trust relationships. The current PKI solution fails to provide this 
> protection.
> 
> For example, people with Paypal accounts already have a connection and 
> trust relationship with the Paypal website. The phisher wants to get the 
> password for this existing Paypal account. We can defeat the phisher by 
> preventing impersonation of the Paypal website. As the shmoo examples 
> demonstrate, the PKI fails to prevent this impersonation.

The Shmoo example does not demonstrate anything about PKI (though it is 
true that the particular CA chosen doesn't tell you much about who 
bought the certificate, which would strike me as a fairly effective 
prevention of the attack - the CA was, however, chosen for cheapness, 
not usefulness).

> Do you agree that the petname toolbar prevents phishing attacks, as they 
> are defined in this email?

I agree that petnames will prevent spoofing an existing URL, indeed.

> Defending the integrity of introductions is also important, but it is a 
> separate problem from phishing. I am happy to explain how YURLs are used 
> to ensure the integrity of introductions, but let's progress in steps.

I can figure that one out. I still want to know how I get my first 
introduction.

BTW, I saw a domain spoofing attack today that did not attempt to 
subvert an existing trust relationship. It was trying to get people to 
post their pictures to a spoofed HotOrNot site. Frivolous, I'll admit, 
but nevertheless, an example of an attackable transaction with value 
that does not rely on an existing trust relationship and so cannot be 
prevented by petnames (at least, not in the way described).