Friday 1 June 2007

Zulfikar Ramzan is Correct About Phishing

Zully is right on in his demolition of Mikko Hypponen's idea for a ".bank" TLD.

Writing on Symantec's Security Response weblog, he basically urinates all over Mikko's plan (although he's a lot more diplomatic than that). Some choice cuts:
Phishers don’t have to use the .bank extension and most users will fail to notice ... if you look at almost every phishing site these days, the URL itself is a blatant giveaway that you’re not at an authentic site
...
The proposal will also lull users into a false sense of security for a number of reasons ... The bad guys may still be able to get .bank domains ... won’t stop phishing attacks that exploit cross-site scripting vulnerabilities ... Browsers are sometimes susceptible to address-bar overlay vulnerabilities. [read more]
Or, to put it another way, the problem with this proposal is that roughly half the population have below-average intelligence (hat tip: APHC).

Sure, it's easy to be a critic, but such ideas just waste energy that could be ploughed into useful furrows, such as DKIM and domain-level reputation.

See also: BofA Sitekey, Yahoo! Signin Seal, etc., etc.

No comments:

Post a Comment