[fc-discuss] Financial Cryptography Update: Microsoft scores in anti-phishing!

iang@iang.org iang@iang.org
Tue, 25 Oct 2005 23:53:39 +0100 (BST)


((( Financial Cryptography Update: Microsoft scores in anti-phishing! )))

                            October 25, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000585.html



------------------------------------------------------------------------

Finally, some good news!  Matthias points out that <a
href="http://www.theregister.co.uk/2005/10/25/ie7_crypto_boost/">Micros
oft has announced</a> that they are <a
href="http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx">switchin
g to TLS in browsers</a>.  <b>Hooray!</b>  This means no more SSL v2,
and the other laxidaisical dinosaurs of the browser world can be
expected to shuffle into line (Mozilla, Safari, Konqueror, Opera...
yes, you may well look down in shame, especially Mozilla which was
facing a <a
href="http://weblogs.mozillazine.org/gerv/archives/008157.html">bombard
ment</a> of <a
href="http://wiki.mozilla.org/Necko:SSL_v2_Sites">clues</a>).

I have a sneaking suspicion that Microsoft actually are thinking a bit
- not hugely but a bit - about phishing and are looking at some of the
easier ways to deal with it.  First, they acknowledged that phishing
was a browser problem, and no other browser supplier to my knowledge
has done that.	Secondly, they mention from time to time phishing and
security in the same breath, while the other guys are still stuck on
patch counts and bug statistics and similar side issues.  Thirdly:

<blockquote><i><a
href="http://www.theregister.co.uk/2005/10/25/ie7_crypto_boost/">As
part of</a> Microsoft's "secure by default" design philosophy, IE7 will
block encrypted web sessions to sites with problematic (untrusted,
revoked or expired) digital certificates. Users will receive a warning
when they visit potentially insecure sites, which users can choose to
ignore, except where certificates are revoked. "If the user clicks
through a certificate error page, the address bar will flood-fill with
red to serve as a persistent notification of the problem," Lawrence
explained.</i></blockquote>

Huh.  Not a bad idea, that, although note that it is logically the
reverse of what the Petname and Trustbar people do!  (Debates can be
had, and more could be done, but a start is a start!)  Fourthly:

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/