Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/glyph/statuses/113746640496739910">Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:12:45 JST</a><a href="https://mastodon.social/@glyph" title="glyph@mastodon.social"><img src="https://gnusocial.jp/avatar/19724-48-20221108060713.webp" width="48" height="48" alt="Glyph" style="position: absolute; left: 0; top: 0;">Glyph</a><div><a href="https://mastodon.social/@whitequark/113746623316101101" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/40873" title="dalias@hachyderm.io">Rich Felker</a></li><li><a href="https://gnusocial.jp/user/105710" title="whitequark@mastodon.social">✧✦Catherine✦✧</a></li></ul></div></section><article><p><a href="https://mastodon.social/@whitequark">@whitequark</a> <a href="https://hachyderm.io/@dalias">@dalias</a> <a href="https://mastodon.social/@mcc">@mcc</a> yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from "mild difficulty if the user has a PTSD level of hypervigilance, easy if they're not really paying attention" to "physically impossible without local code execution or device theft". the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: <a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6" rel="nofollow">https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4285024#notice-8379241">In conversation</a><time datetime="2024-12-31T18:12:45+09:00" title="Tuesday, 31-Dec-2024 18:12:45 JST">about 3 months ago</time> <span>from <span><a href="https://mastodon.social/@glyph/113746640496739910" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@glyph/113746640496739910">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: www.ftc.gov</div><h5><a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6">Security Principles: Addressing underlying causes of risk in complex systems</a></h5><div> from <span>@FTC</span></div></header><div>On December 14th, 2022, in collaboration with technologists on team CTO and attorneys in BCP, I gave a presentation at the Federal Trade Commission’s</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Glyph (glyph@mastodon.social)'s status on Tuesday, 31-Dec-2024 18:12:45 JSTGlyph
in reply to
@whitequark @dalias @mcc yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from "mild difficulty if the user has a PTSD level of hypervigilance, easy if they're not really paying attention" to "physically impossible without local code execution or device theft". the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6
In conversationabout 3 months ago from mastodon.socialpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.ftc.gov
  Security Principles: Addressing underlying causes of risk in complex systems
  from @FTC
  On December 14th, 2022, in collaboration with technologists on team CTO and attorneys in BCP, I gave a presentation at the Federal Trade Commission’s

Public

Embed Notice

HTML Code

Corresponding Notice