North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Non-English Domain Names Likely Delayed
On 19-jul-2005, at 1:43, Crist Clark wrote:
If you make a bunch of assumptions
Plus, you have to trust DNS, which means you have to trust:
1) the root 2) the gTLD 3) the authorative servers for the domain
And for 99% of the users out there,
Actually, you don't. If the DNS provides false information, the public key crypto will catch this. Sure, you won't be able to communicate, but you can't be fished that way.4) the caching servers for their ISP/employer/other access provider
you can be sure that when it says https:// www.blah.com/ in your browser, you're actually communicating with the entity holding the name www.blah.com in a secure way. So when something
There is no cure for stupidity... And I'm not even sure it's really stupidity: in their own twisted way, these users behave rationally because the energy to stay safe isn't worth keeping away the bad consequences to them. This of course changes when their online banking account is raided.Assuming the system works. SSL doesn't really work now since so many users reflexively click through warnings about bad certificates.
And while we're at it, does any of this fix whether any of the following,
www.blah-inc.com www.blah.net www.blah.biz
I don't see why this would need to be "fixed". We're not talking about 5 year olds, people need to be able to cross the road without someone holding their hand.Might trick a user into thinking he's connected to the same entity that owns www.blah.com?
> So how would fixing this make things worse?
Simple: the system then performs as designed again. All the other problems are more or less under the user's control.Wrong question. How will fixing this one problem make things any better?
And burglars also manage to get inside your house even though you lock the door. So better not lock the door then?If almost none of the phishing emails I get now bother to play these kinds of games today, how much does this really help?
That is such crap, and it's exactly this attitude that makes it possible for spam to persist. When confronted by an apparently intractable problem, in very many cases it helps to solve the parts that can be solved and then have another look at the remaining problem. More often than not it doesn't look as intractable any more.Yeah, if it's easy, go ahead, but as the mere existence of this thread seems to indicate this is not an easy problem. I worry that like many of the other spam-related problems while we have a lot of very smart people like yourself thinking hard about how to prevent abuse, we may just be rearranging the deck chairs on the Titanic.
should we be doing instead?
Many things, perhaps the two most important "we" can do:
If this is true, it means a failure on the part of the browser. I don't think we should live with that but get ourself better browsers.1) Pounding it into the users that you don't ever trust what it says in the navigation bar unless you typed it there yourself. Corrorlaries: (a) When following links on webpages, your level of trust should only be that of the least trusted page in the chain of links.
Haha. I talked to a CERT guy a while ago. They had a service where they send out dumbed down warnings to regular users (not sysadmins or whatever). I asked him why they didn't use S/MIME to sign their mail. "That confuses people." Ok then. If people in the security business (how I hate the fact that it's a business these days!) don't even want to use the tools that are available, rational thought breaks down. (Although I have to admit that it DOES look confusing in popular Windows email clients.)(b) NEVER EVER, EVER, EVER trust a link in an unsigned email.
Expansion of 1: don't trust any unsollicited communication. This includes all incoming email (unless it's signed but it never is) and phone calls. (Law enforcement at your door? How do I know those badges are real?) Never give out your password to ANYONE, EVER.2) Pounding it into merchants, banks, etc., to make sure they never ask their customers to violate (1).
But sorry, I do not have all of the answers either.
 Perhaps a better analogy is that by "cleaning up" DNS, we areNo, what's needed is that systems don't have glaring holes. Email is a joke, anyone can send messages with any "From" line that they want. Credit cards are a joke, anyone who works in a store can copy numbers and then use those online. The trouble with these two is that people have been using them as-is for so long that they don't want to give up the convenience of the insecurity. So at some level this is working for people, or they wouldn't be using it.