[cryptography] Diginotar Lessons Learned (long)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Sep 10 19:01:04 EDT 2011


Andy Steingruebl <andy at steingruebl.com> writes:

>Got a prioritized list?  I'll tell you what I'm doing about them. Quite
>seriously actually...

See my off-list reply (it's my earlier ref to the EuroPKI talk again :-), I'll
post the slides next week when I've done the talk.

>Actually, figuring out whether your solution will actually work is an
>experiment right?  We can't know in advance for all of them, and w can't even
>always A/B test things.

Sure, figuring out whether it'll actually work is an experiment.  OTOH we have
vast masses of data on what phishers are doing, so while we can't easily tell
what will work, we can tell fairly easily what won't work.  If it doesn't
address anything that phishers are doing then we know, without even bothering
to deploy it, that it'll have no effect.  We can then concentrate defences in
those areas where the bad guys are actually attacking.  It's quite possible
that some of those will be remarkably effective, but at the moment we don't
know because browsers do nothing to protect users apart from trusting in
browser PKI [0], one of the things we already know doesn't work because it
doesn't address anything that phishers are exploiting.

Peter.

[0] I'm not counting site blacklists in this, since they're mostly pointless.



More information about the cryptography mailing list