Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: (secure email) Proposal to anti-phishing

RE: (secure email) Proposal to anti-phishing

From: Lyal Collins <lyal.collins_at_key2it.com.au>
Date: Mon, 24 Jan 2005 18:26:40 +1100

> -----Original Message-----
> From: Michael Silk [mailto:michaelsilk_at_gmail.com]
> Sent: Monday, 24 January 2005 3:24 PM
> To: lyal.collins_at_key2it.com.au; webappsec_at_securityfocus.com
> Subject: RE: (secure email) Proposal to anti-phishing
>
>
> Lyal said:
> > > The difference is that client-side SSL exists today in an
> industry
> > > standard platform independent manner that could be effectively
> > > deployed. (management is a different issue that I will be a
> > coward and
> > > ignore for now.)
> >
> > It's hard to see how changing the locaiton of a password
> > verification actually makes any difference to accountholder
> > security or phishing.
>
> Is it? Surely it's easy to see. Phishing requries the user to enter
> the password in a website. If they don't need to do this (or only
> enter partial password) because of certificate, then I think it's
> pretty easy to see how that is an advantage.

Seen the newer generaitons of phishing, where going to the faked bank site
loads up the user's PC with spyware, keyloggers et al?

Certificates are compromised as soon as any malware enters the machine -
which is useless in this phishing scenario.

>
>
> > > And then there's the pragmatic fact that people will pay
> Microsoft
> > > protection-racket funds for Microsoft anti-spyware to protect
> > > themselves transparently in the background from the
> crappy software
> > > Microsoft *SOLD* them in the first place...and they will do
> > this long
> > > before they'll use any of the "secure email"
> > > solutions today that require user interaction & thought.
> > >
> > > But I'm all for an global standard secure email solution if
> > you happen
> > > to have one of those handy,
> >
> > Actually, my company does - if anyone wants to buy it.
>
> Global, is it? Who buys it then? How does it work? Care to share more
> details, because there is not much information on your site. Doesn't
> seem any different to what PGP would provide.
>
> It's also rather interesting that you claim it "encrypts" everything,
> but also analyses it for spam, viruses ... now just how does it do
> that :) ?
>
> And what is "content checked". Seems far to "big brother" for
> my liking.
>
>
Received on Jan 24 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos