[cryptography] Diginotar Lessons Learned (long)

Andy Steingruebl andy at steingruebl.com
Mon Sep 12 13:31:02 EDT 2011


On Sun, Sep 11, 2011 at 10:45 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> "James A. Donald" <jamesd at echeque.com> writes:
>>On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>>> 1. Phishing isn't the only problem right?
>>> 2. To some degree this is a game where we have to guess their next
>>> step, and make that harder too.
>>
>>If we were doing something about their first step, then it would be necessary
>>to guess their next step.
>
> My point exactly.  We can start debating what type of lock to put on the barn
> door once we add a door.

Several things already in place and/or in progress:

1. DKIM

2. ADSP (or replacement)

3. Email security indicators research - do they help, hurt, or do
nothing. I don't think existing work on other browser security
indicators aren't perfectly relevant in this space.  For an example of
what I mean -  http://www.iconix.com/ , but both Google and Yahoo have
experiments that are similar.

4. Non-stealable "credentials". A much longer/harder problem.

Even with these of course attackers can steal other things of value...
 That said, I think phishing against some folks is actually in serious
decline, and we're pushing the attackers away from phishing and
towards other things.  Data is of course notoriously hard to get on
this front.

BTW, lest you be confused about some other reported metrics, check
here: http://www.thesecuritypractice.com/the_security_practice/2011/02/phishing-metrics-demystified.html

- Andy



More information about the cryptography mailing list