April 21, 2004

Tumbleweed casts CA-signed cert lure

The Feb issue of Nilson Report reports stats from the antiphishing.org WG. New for me at least, is some light thrown on Tumbleweed, the company behind the WG, which as suspected is casting itself as a solution to phishing.

"Email Signatures [quoteth Nilson]. Tumbleweed is developing a method of using digital signature issued by a trusted Certificate Authority (CA) to sign emails. This type of technology, also being pursued by AOL, Microsoft, and Yahoo, would help thwart phishing scams. While crooks who own legitimate sounding domain names (such as Visa.customerservice.com) could still sign their messages, an alert would arrive with the email if the signature had not been issued by a CA. The larger problem with signing emails could come down the line as phishers migrate to other methods of luring victims. Some have already started using instant messaging. Next could be mobile messaging, banner ads, and sites that would turn up readily in a Google search. Beefing up law enforcement is another option, but with more and more phishers operating globally, it can take up to a week to ferret them out and shut them down."

Well, Nilson picked up the obvious, so no need to dwell on it here. It then goes on to talk about Passmark, which I slammed in Phishing - and now the "solutions providers".

What are we supposed to conclude from this parade of aspiring security beauties? One solution provider hasn't thought it through at all, and the other seems to be "just using CA-signed certs," the very technology that is being perverted in the first place. As if it hadn't thought it through at all...

Is there no security company out there that does security? It is rather boring repeating the solution so I won't, today.

Posted by iang at April 21, 2004 10:13 AM | TrackBack

a) all you need is a cert signed by a CA which is registered in a Windows user's mystore (which is doable)
b) X.509 for E-Mail signing has been around for a long long long long time :)

Posted by: John at April 21, 2004 01:32 PM