[cap-talk] Phishing with YURLs and Petnames
Toby Murray
toby.murray at dsto.defence.gov.au
Tue Feb 14 20:26:40 EST 2006
Tyler Close wrote:
>On 2/14/06, Toby Murray <toby.murray at dsto.defence.gov.au> wrote:
>
>
>>I tend to think that saying "Users should not trust an introduction
>>
>>
>over
>
>
>>an insecure channel, full-stop" (yeah i've paraphrased Sandro to use
>>Aussie dialect) is too much to ask, but maybe I'm wrong.
>>
>>
>
>But we're not asking even that much. The user can check the insecure
>introduction against the secure one by clicking on the petname
>bookmark.
>
Good point.
>You are assuming that the user will trust the insecure
>introduction in preference to the secure one, never even trying to
>validate against the previous and frequently used secure channel.
>
I'm not saying it's likely, but possible. I'm also not saying that this
makes Petnames/YURLs not an incredibly useful combination. All I'm
trying to do is probe the limits of what is possible here. I woulnd't
have suggested this problem if I thought it was easily solvable.
I personally think that tools like these are the best shot we've got at
the moment and have great admiration and respect for those who have
developed them and the theory on which they rest. Don't get me wrong.
--
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk
mailing list