http://emergentchaos.com/archives/2007/05/badidea-mikko.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2007/05/badidea-mikko.html/comment-page-1#comment-3600 Justin Wed, 09 May 2007 12:10:08 +0000 http://emergentchaos.com/?p=2355#comment-3600 I initially thought it had promise, but was swiftly disabused of the notion -- see Joe Stewart's great followup: <a href="http://www.secureworks.com/research/blog/index.php/2007/05/08/new-tlds-panacea-for-security" rel="nofollow">http://www.secureworks.com/research/blog/index.php/2007/05/08/new-tlds-panacea-for-security</a> my thoughts: to date, we're still seeing emails from banks where they "launder" their links through third-party click-tracking companies, indistinguishably from a phisher attempting to obscure the targets, and they still send mails with links to innumerable no-reputation domains instead of using their well-known home domains. While the banks act so ineptly, they'll create user confusion and they'll be phished -- new TLD or no new TLD. The banks need to cop on, basically. I initially thought it had promise, but was swiftly disabused of the notion — see Joe Stewart’s great followup:
http://www.secureworks.com/research/blog/index.php/2007/05/08/new-tlds-panacea-for-security
my thoughts: to date, we’re still seeing emails from banks where they “launder” their links through third-party click-tracking companies, indistinguishably from a phisher attempting to obscure the targets, and they still send mails with links to innumerable no-reputation domains instead of using their well-known home domains.
While the banks act so ineptly, they’ll create user confusion and they’ll be phished — new TLD or no new TLD. The banks need to cop on, basically.

]]> http://emergentchaos.com/archives/2007/05/badidea-mikko.html/comment-page-1#comment-3599 Iang (manual trackback) Wed, 09 May 2007 07:33:44 +0000 http://emergentchaos.com/?p=2355#comment-3599 It's useful to throw these ideas around ... .bank won't work, or, if it did, why did all the URL based stuff fail in the past? I wonder (<a href="https://financialcryptography.com/mt/archives/000914.html" rel="nofollow">more loudly on the blog</a>) whether the secure bookmark is an idea who's time has come? I see it as significant that many if not all of the independent research people have come to this conclusion. It’s useful to throw these ideas around … .bank won’t work, or, if it did, why did all the URL based stuff fail in the past?
I wonder (more loudly on the blog) whether the secure bookmark is an idea who’s time has come? I see it as significant that many if not all of the independent research people have come to this conclusion.

]]> http://emergentchaos.com/archives/2007/05/badidea-mikko.html/comment-page-1#comment-3598 Allan Friedman Tue, 08 May 2007 17:01:36 +0000 http://emergentchaos.com/?p=2355#comment-3598 I would be very careful with argument #1... the fact that a more secure attribute becomes a more valuable target, which becomes a more valuable target is true, but not a good argument against securing the channel. The trick is to come up with a good model of the ultimate equilibrium... do the costs of securing the url channel (including the harms of small banks) actually produce enough benefits to reduce phishing? Phishing research is hard, but this seems like something that might be possible to test, although I'm no expert in experimental design. I would be very careful with argument #1… the fact that a more secure attribute becomes a more valuable target, which becomes a more valuable target is true, but not a good argument against securing the channel. The trick is to come up with a good model of the ultimate equilibrium… do the costs of securing the url channel (including the harms of small banks) actually produce enough benefits to reduce phishing? Phishing research is hard, but this seems like something that might be possible to test, although I’m no expert in experimental design.

]]> http://emergentchaos.com/archives/2007/05/badidea-mikko.html/comment-page-1#comment-3597 Adam Tue, 08 May 2007 16:30:17 +0000 http://emergentchaos.com/?p=2355#comment-3597 I think it will be a I think it will be a

]]> http://emergentchaos.com/archives/2007/05/badidea-mikko.html/comment-page-1#comment-3596 Mordaxus Tue, 08 May 2007 16:19:14 +0000 http://emergentchaos.com/?p=2355#comment-3596 I'm not sure how I feel, Adam. If by "It won't work" you mean that it wouldn't be a 100% solution, I agree. But if you mean that it would be a 0% solution, I disagree. I think a .bank TLD is a fine idea in abstract. I think that your (2) is a valid complaint, and if a credit union couldn't get a .bank domain, then that would be in my opinion a reason to oppose it. However, there is no reason why the policies behind the .bank TLD couldn't allow for credit unions or microfinance organizations in the third world or whatever can't get them. There's no scarcity that requires this. I’m not sure how I feel, Adam. If by “It won’t work” you mean that it wouldn’t be a 100% solution, I agree. But if you mean that it would be a 0% solution, I disagree.
I think a .bank TLD is a fine idea in abstract.
I think that your (2) is a valid complaint, and if a credit union couldn’t get a .bank domain, then that would be in my opinion a reason to oppose it. However, there is no reason why the policies behind the .bank TLD couldn’t allow for credit unions or microfinance organizations in the third world or whatever can’t get them. There’s no scarcity that requires this.

]]>