[WEB SECURITY] what if phishing went away?

Brian Eaton eaton.lists at gmail.com
Wed Jul 26 12:30:28 EDT 2006


On 7/26/06, RSnake <rsnake at shocking.com> wrote:
> Instead of spamming the list, I wrote my thoughts (reactions to the
> comments made here) on the blog:
>
> http://ha.ckers.org/blog/20060726/phishing-domainkeys-laundering-oh-my/

Interesting notes on the blog.  One comment on this:

> DoSing the lists wouldn't work, they all go through a vetting process as to who
> can actually submit them

DoSing the lists by submitting valid sites isn't a bad idea, but
wasn't the attack vector I was talking about.  I was actually talking
about about DoSing the servers responsible for pushing the blacklists
out to clients.  I haven't played with this stuff at all, but from
reading descriptions of how the IE 7 phishing filter works it sounds
like there need to be central servers that are publishing the
blacklist.  If those servers aren't available, the blacklist can't be
used.

Blue Security, RIP.

Maybe somebody should build a P2P network for the blacklist distribution?

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list