[gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)
Rob Golding
rob.golding at astutium.com
Wed Oct 4 00:06:40 UTC 2017
On 2017-10-02 10:46, Neil Schwartzman wrote:
> That is a product of logistical limitations not the reputation of a
> given domain. everyone has a budget to consider, numerous checks can
> be costly in terms of computing overhead, and there is absolutely
> disparity between reputation systems (competitive advantages of one
> over the other), and how they manifest at a given user
The link between providers of 'reputation' and 'price' isn't lost on
technically aware end-users or service providers - many of which view
the entire concept as little more than the digital equivalent of
'insurance' (in the "ooh you should get some insurance as you have a lot
of flammable stuff here nudge nudge wink wink" sense)
> As a willfully intentional cesspool, an organization that "has decided
> that that's not part of its job to refuse to issue certificates for
> particular domains based on reputation” has thus made the presence
> of a Let’s Encrypt cert the perfect datapoint. One upon which one
> can block.
With some browsers no longer providing clear/obvious details to users
about certificates, and the continuing proliferation of free ssl
options, "trust" in ssl has dropped since heartbleed to almost worthless
levels, add in the who-has-issued-what-via-whom questions that
constantly seem to reoccur there is little wonder consumers are
confused. SSL retains a place as a useful tool to ensure only clued-up
hackers and government spy agencies are intercepting your data, but a
replacement is long overdue.
> host phish (most phish I encounter are
> on legitimate hosting providers)
It's been several years since I have seen wholesale hosting accounts
setup specifically for phishing - it's much more cost-effective for
organised criminals to abuse an unpatched wordpress or simple ftp
password, utilise an unknown users' hosting, run up their bandwidth,
wreck their hosting providers ip reputation etc
How much cotton-wool we should be wrapping users in can be debated
ad-infinitum - I was on a train 2 weeks ago, and very loudly one
passenger was quoting their c/card number & security code to someone by
mobile, taking no notice that the other 150-or-so passengers could hear
every character - this is far from an isolated incident - it appears
stupidity will always win no matter what we do :(
Rob
More information about the gnso-rds-pdp-wg
mailing list