Notes on Web authenticationenhancements

Thread: Notes on Web authenticationenhancements

Search this list only Search all lists
Notes on Web authenticationenhancements
	2006-07-07 20:06:34
> [mailto:ietf-http-auth-bouncesosafoundation.org] On Behalf > 1) Most sites are not targeted by phishers today, and > unlikely to be targeted in the future, so they should not be > forced to put in technology for resolving phishing. This is completely wrong. Every type of site is targetted by criminal schemes, blogs are currently targets for spam and for dropping trojans onto user machine via spyware. If I can get hold of a blogger's username and password I can install a trojan dropper onto their site. Blogger has been infested with hundreds of thousands of sites with music backgrounds provided by spyware companies. There are already extensive attacks against search engines. If you can see the searches someone has done recently you can quickly build up a picture to use in an identity theft. > 2) Currently the user has NO trusted site or client and is > easily phished. Once the user has one trusted software > system, then that system can more easily determine the > identity of other sites. In other words, the user will not > have to build up the full assurance stack with each site, the > user can leverage something they already trust to assist in > making the trust decision. The problem is not a lack of trusted sites, it is a lack of sites that are trustWORTHY. _______________________________________________ Ietf-http-auth mailing list Ietf-http-authosafoundation.org http://lists.osafoundation.org/cgi-bin/mai lman/listinfo/ietf-http-auth

Notes on Web authenticationenhancements
	2006-07-11 17:53:46
On 7-Jul-06, at 1:06 PM, Hallam-Baker, Phillip wrote: > >> [mailto:ietf-http-auth-bouncesosafoundation.org] On Behalf > >> 1) Most sites are not targeted by phishers today, and >> unlikely to be targeted in the future, so they should not be >> forced to put in technology for resolving phishing. > > This is completely wrong. > > Every type of site is targetted by criminal schemes, blogs are > currently targets for spam and for dropping trojans onto user > machine via spyware. > > If I can get hold of a blogger's username and password I can > install a trojan dropper onto their site. Blogger has been infested > with hundreds of thousands of sites with music backgrounds provided > by spyware companies. > > There are already extensive attacks against search engines. If you > can see the searches someone has done recently you can quickly > build up a picture to use in an identity theft. Just to clarify, phishers are spoofing Google and Blogger to steal credentials? If so, I stand corrected. > >> 2) Currently the user has NO trusted site or client and is >> easily phished. Once the user has one trusted software >> system, then that system can more easily determine the >> identity of other sites. In other words, the user will not >> have to build up the full assurance stack with each site, the >> user can leverage something they already trust to assist in >> making the trust decision. > > The problem is not a lack of trusted sites, it is a lack of sites > that are trustWORTHY. Agreed. Semantics is not one of my stronger skills. _______________________________________________ Ietf-http-auth mailing list Ietf-http-authosafoundation.org http://lists.osafoundation.org/cgi-bin/mai lman/listinfo/ietf-http-auth

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )