[cryptography] Diginotar Lessons Learned (long)

Andy Steingruebl andy at steingruebl.com
Sat Sep 10 19:10:16 EDT 2011

On Sat, Sep 10, 2011 at 4:01 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Sure, figuring out whether it'll actually work is an experiment.  OTOH we have
> vast masses of data on what phishers are doing, so while we can't easily tell
> what will work, we can tell fairly easily what won't work.  If it doesn't
> address anything that phishers are doing then we know, without even bothering
> to deploy it, that it'll have no effect.

I feel like we're not really arguing here.  Nevertheless it is
Saturday, and I'm bored, so here goes.

1. Phishing isn't the only problem right?
2. To some degree this is a game where we have to guess their next
step, and make that harder too.
3. Who are the people arguing that TLS/HTTPS is a defense against
phishing that is doing any "real" work on any of this other than
pitching products/junk?

Getting to credentials that can't be easily given away to the wrong
party would certainly be a step in the right direction.  Several
things are hopefully working in that direction.  I'd love to have some
stats on whether people who use things like 1password/lastpass
actually get compromised less since those tools save your password,
and know whether you're on the "right site."

Please don't forget that in the presence of malware on the client
machine most of this doesn't matter, and so depending on what you
think the balance is between phishing and malware for stealing
credentials and/or monetizing accounts, you have a different set of
things to do to make progress.

- Andy

More information about the cryptography mailing list