[cap-talk] Browser upgrades, phishing, "known" CAs
jed at nersc.gov
Wed Feb 8 12:55:25 EST 2006
At 02:53 AM 2/8/2006, Ian G wrote:
>Jed Donnelley wrote:
>>Does anybody have any idea why they feel they need to collect
>>website addresses (I assume they are referring to DNS names or
>>perhaps whole URLs?) to "filter" phishing?
>Presumably it is because of their database model.
>They collect all the URLs you go to and analyse
>them for phishing. There should be a way in which
>you can alert that it is for phishing, and then
>that warning gets put into the database and is
>then available for others to also be alerted.
It's the "analyze them all for phishing" that seems a bit over done
to me. In fact they say that they use some heuristic to determine
which URLs look like they might be phishing before sending them in -
to keep down the load. I would prefer a model (or at least an
option) where I can tell them anything I find that looks like
phishing before they send it in to the mother ship.
>This model was - to my knowledge - first introduced
>by Netcraft. It was quite successful in terms of
Meaning that users liked it?
>but how well it actually deals with the problem
>of phishing I don't know.
>I personally don't like the model. My reasons are
>a. privacy (!), b. scaling, c. reliability. For
>all these reasons I suspect it is more likely to
>only raise the bar ever so slightly, but also bring
>in many "surprising side-effects."
>But time will tell.
There is that.
I'm somewhat surprised that the only comments I've gotten back on
this good, bad, ugly browser upgrade thread is about the phishing
stuff from Microsoft.
I expected many more people would, like me, be upset by their heavy
handed demand for "known" certificate authorities. That's the aspect
of this upgrade that really hurts our systems and users. I'm still
not sure how to respond. Probably with another education campaign
telling users how to include the DOEGrids CA into their list of
"known" certificate signing authorities. Still, its a real pain and
to my thinking doesn't enhance real security one iota.
More information about the cap-talk