Re: [WEB SECURITY] what if phishing went away?

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 7/26/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:
> Really, the browser should only be one of at
> minimum three different layers.  The others are email, and network
> content filters.  They are a ways off, but defense in depth would help
> mitigate any single point of failure.

I would include stronger web site or user authentication techniques in
this list, for two reasons:

1) it's the most obvious point of failure in a successful phishing attack.
2) it's something that a single organization can do to protect itself,
without relying on ISPs/blacklist maintainers/e-mail clients/browsers
to change.

However, neither of those reasons necessarily means that stronger
authentication would actually help. ;-)

> P2P is an interesting idea, but then you'd probably have to go to a less
> commercial blacklist. That could work if you take the Cloudmark path,
> where users get higher ranked for reporting better phishing sites,
> etc...

I could see a blacklist as a natural monopoly, and thus a good place
to stick a public service rather than a commercial one.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]