[TrustBar] Netcraft breaks ranks and points the crooked black claw of doom at the SSL security model

Ian G iang at iang.org
Sat Jan 1 10:39:17 EST 2005 

For those not watching my blog, here is what I think
to be a remarkably different approach to addressing
phishing from Netcraft.  It competes quite well with
the trustbar approach;  if the paper's not in 'final' it
might be worth a small section on its alternate use
of a centralised database and intention to create a
feedback mechanism into that database by the users.

iang

-------- Original Message --------

 Financial Cryptography Update: Netcraft breaks ranks and points the crooked black claw of doom at the SSL security model 

                           December 30, 2004


------------------------------------------------------------------------

http://www.financialcryptography.com/mt/archives/000287.html



------------------------------------------------------------------------

In a show of remarkable adeptness, Netcraft have released an
anti-phishing plugin for  IE.  Firefox is coming, so they say.	This
was exciting enough to make it on Slashdot, as David at Mozilla pointed
out to me.

http://news.netcraft.com/archives/2004/12/28/netcraft_antiphishing_toolbar_available_for_download.html
http://slashdot.org/article.pl?sid=04/12/30/146245

There are now dozens of plugins floating around designed to address
phishing.  (If that doesn't say this is a browser issue, I don't know
what will.  Yes, the phish are growing wings and trialling cell phones,
pagers and any other thing they can get at, but the main casting action
is still a browser game.)  The trustbar one is my favourite, although
it doesn't work on my Firefox.

So, what about Netcraft?  Well, it's quite inspired.  Netcraft have
this big database of all the webservers in existance, and quite a few
that are not.  The plugin simply pops on over to the Netcraft database
and asks for the vital stats on that website.

Well, hey ho!  Why didn't we think of that?

There's a very good reason why not.  Several in fact.  Firstly, this
puts Netcraft into your browser in an important position;  if they
succeed at this, then they have entre into the user's hearts and minds.
 That means some sort of advertising revenue model, etc etc, as clearly
permitted in their licence.  Or worse, like their own little spyware
programs which may or may not be permitted under their Privacy clause.

(So one reason we didn't think of that is because we all hate
advertising models ... just so we're clear on that point!)

But more interesting is that Netcraft is a player in the security
industry.  At least, they are a collector of CA and SSL statistics, and
their reports sell for mighty big bucks.  So one might expect them to
pay attention to those suggestions that supported the SSL industry,
like the ones that I frequently propose.

But, no.  What they have done is completely bypassed the SSL security
model and crafted a new one based on a database of known information. 
If one has followed the CA security debate, it bears a stunning
similarity to the notions of what we'd do if we were attempting to fix
the model.  It's the endgame:  to fix the revocation problem you add
online checking which means you don't need the CAs any more.

Boom.  If Netcraft succeeds in this approach (and there is no reason
why others can't copy it!) then we don't need CAs any more.  Well,
that's not quite true, what this implies is that Netcraft just became a
CA.  But, they are a CA according to their rules, not those historical
artifacts popularised by accounting entities such as WebTrust.

So it's another way to become a CA:  give away the service for free,
acquire the user base, and figure out how to charge for it later.  A
classic dotcom boom strategy, right?  Bypass the browser policy
completely because they are struggling under the weight of the WebTrust
legacy, and can't see the wood for the trees.

(Now, some will be scratching their heads about the apparent lack of a
cert in the plugin.  Don't worry, that's an implementation detail. 
They can add that later, for now they offer a free certificate service
with no cert.  Think of the upgrade potential here.  The important
thing is to see if this works as a *business* model first.)

So this takes aim at the very group that they sell reports to.	Of
course, the people who want to buy reports on certificate use are the
CAs, and their various suppliers of CA toolkits.

That's why it's a significant event.  (And another reason why we didn't
think of it!)

Netcraft have obviously worked out several things:  the CAs are
powerless to do anything about phishing, and that's a much bigger
revenue stream than a few boring reports.  Further, the security model
is stagnant at best and a crock at worst, so why not try something new?
 And, the browser manufacturers aren't playing their part, with narry a
one admitting that the problem is in their patch.  So their users are
also vulnerable to a takeover by someone with some marketing and
security sense.

Well done Netcraft, is all I can say!  Which is to say that I have no
idea whether the plugin itself will work as advertised.  But the
concept, now, that's grand!

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/




-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the TrustBar mailing list