[cap-talk] Phishing with YURLs and Petnames
toby.murray at dsto.defence.gov.au
Tue Feb 14 18:20:46 EST 2006
This is all fairly interesting discussion. The main point I see
essentially relates to user expectations. That is, users are used to
receiving links in email. How many times do you send an interesting news
item to people you know via email? This is fine for ordinary links.
However, when we start talking about authority carrying YURLs, the story
is different. When receiving a capability (YURL) through a
non-capability channel (eg. email), all assumptions about trust go out
the window. This fine if users understand this. However, I think most
cannot be expected to make this distinction. (As usual, this is a total
generalisation with no real evidence to back it up -- we can argue over
whether it's acceptable if people like).
When receiving a cap over a non-cap channel, users will necessarily try
to use other means to guage the trustworthiness of the entity the cap
addresses. My point with the original email was that users might be
likely to use things like the domain name from the YURL (which can
easily be spoofed).
The Petname tool will indicate "untrusted" or whatever. However, that
was why the original email hinted at this and indicated to the user to
add the petname themself as soon as they visited. In this sense, the
user is given a statement (from a somewhat questionable authority) to
expect that the petname tool will indicate "untrusted" and to accept
this as OK. The phisher is trying to alter the user's normal
expectations in this instance by leveraging the trust the user has in
the domain name and the trust the user has in the Petname tool. By
making explicit reference to the Petname tool the phisher it trying to
increase the level of trust the user will be imputing to the email
sender. ("I trust Petname tool. yurl.net told me to use the Petname
tool. This email makes explcit reference to this tool AND [appears to
be] from yurl.net. Therefore, I'll trust the email when it tells me to
violate my usual assumptions".).
I tend to think that saying "Users should not trust an introduction over
an insecure channel, full-stop" (yeah i've paraphrased Sandro to use
Aussie dialect) is too much to ask, but maybe I'm wrong.
Advanced Computer Capabilities Group
Information Networks Division
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk