Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: (secure email) Proposal to anti-phishing

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: (secure email) Proposal to anti-phishing
Date: Tue, 18 Jan 2005 11:44:36 -0600 
 


-----Original Message-----
From: Lyal Collins [mailto:lyal.collins@key2it.com.au] 

-----Original Message-----
From: Rogan Dawes [mailto:discard@dawes.za.net] 
[snip]

Please take a look at the thread that starts
http://seclists.org/lists/webappsec/2004/Oct-Dec/0291.html

and especially 
<http://seclists.org/lists/webappsec/2004/Oct-Dec/0347.html>
where I explain why I believe SSL client certificates are really the 
only practical solution to preventing phishing.

[snip]
Well, there may be one other good option to stop phishing.
If emails could be positively identified as coming from a 
customer's bank,
then they could ignore those that don't authenticate as 
spam/phishing/fraud.


The difference is that client-side SSL exists today in an
industry standard platform independent manner that could be
effectively deployed. (management is a different issue that
I will be a coward and ignore for now.)

"secure email"....what is that? It doesn't exist is the problem,
unless you want to talk a specific software package or a
one of the "secure email portal" solutions (hosted or device).
Those aren't any more reasonable than a token.

Kiosk. Airport or hotel shared system, etc. Are going to carry
around your thumb drive and install PGP and your keyring on
every system you use if they let you?

And then there's the pragmatic fact that people will pay Microsoft
protection-racket funds for Microsoft anti-spyware to protect
themselves transparently in the background from the crappy
software Microsoft *SOLD* them in the first place...and they
will do this long before they'll use any of the "secure email"
solutions today that require user interaction & thought.

But I'm all for an global standard secure email solution if you
happen to have one of those handy,

Arian





The information transmitted in this e-mail is intended only for the addressee 
and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or 
taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to 
criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the 
communication from any computer or network system.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Web site cookie overload?, Richard M. Smith
Next by Date:  Exploits from command line?, Benjamin Livshits
Previous by Thread:  Web site cookie overload?, Richard M. Smith
Next by Thread:  RE: (secure email) Proposal to anti-phishing, Lyal Collins
Indexes:  [Date] [Thread] [Top] [All Lists]