iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

SANS Security Trend Line

Fighting Spam and Web Site Spoofing Attacks: Lessons Learned from the Traffic Light

An interesting timeline involving the colors red, yellow and green:

  • August 5th, 1914 - the first electric traffic light is installed in Cleveland, OH. driven by the chaos at intersections in cities caused by the explosion in the number of automobiles on the roads. The system was based on the convention used on railroad signals where red meant danger and green meant safe.
  • November, 1935 - the American Association of State Highway Officials publishes the first Manual on Uniform Traffic Control Devices, standardizing the the red/yellow/green scheme for traffic lights nationwide. This leads to state laws making it illegal to disobey such signals.
  • October, 1957 - to convince pedestrians that crossing streets at intersections was much safer than "jay-walking" New York City kicks off the "Cross at the Green, Not In-between" public service advertising campaign which for many years drilled the concept into the minds of TV viewers - especially children. Over the next several decades hundreds of millions of advertising and community education dollars are spent on this concept.
  • June, 2007- the Certificate Authority/Browser Forum defines Extended Validation Certificates, driven by web site spoofing chaos at "intersections" (web sites) on the Internet "highways." Browsers will show a green URL when the site has been strongly validated, and a red bar when the validation is suspect.At Gartner in that timeframe, Avivah Litan, Vic Wheatman Greg Young and I wrote a Research Note "Extended Validation SSL Certificates: A Big Step Forward, but More Progress Is Needed." about EV certs that said:

    "By year-end 2007, the CA/Browser Forum has to issue standards for the revocation process and the external audit of CA registration processes. Before that, the CA/Browser Forum members should invest in a consumer awareness and education campaign, focusing on informing consumers on the limitations of EV SSL certificates and all the additional precautions they should take to be sure they are dealing with legitimate businesses."

    Unfortunately, the CA/Browser Forum members did none of that and today no user has any idea what the difference is between a red URL or a green URL, other than a vague feeling that green is probably better than red - but no one looks at the URL bar anyway.

  • January, 2012 - Fifteen of the largest email providers and financial service institutions join together and announce support for Domain-based Message Authentication, Reporting and Conformance (DMARC) standard to help fight phishing by making email source spoofing harder, by showing a green shield in the email client when the source has been strongly validated - basically emulating the EV cert approach.

I'd like to have an event on the timeline here where the industry members that got behind DMARC launched a public education campaign along the lines of "Read Email at the Green, Not In-between" but so far the email folks are repeating the mistakes of the CA/Browser Forum and not investing in such an effort at all.

That's a mistake - just festooning dangerous things with warning stickers does not increase safety, it only provides lawyers with ammunition to fight damage suits. There is an opportunity, in both browsers and email clients, to learn to avoid danger - just the way most of us at least look both ways when we do cross in-between. That's an investment the browser, CA and email folks should be making.

Post a Comment






Captcha


* Indicates a required field.