It was a very long and interesting interview, and it included a much broader discussion of the world of spam than could fit into a feature, or the tail end of a blog posting on SSL certificates, and I thought this might be a good place to expose a couple of interesting points from that interview that deserved to be seen, but didn't make their way into either of the afformentioned items.

In particular, we discussed botnet technology and its effectiveness in foiling the efforts of both those who would block spam (such as AppRiver), and those who would identify the spammers themselves.

The effort to build botnets these days is so intense that virus writers build controls into their programs that scan a newly infected machine for the presence of competing viruses, and wipe them away before installing new malicious code.

The more interesting aspect of the botnets, however, is that they distribute the commands and controls in such a way as to make it impossible to trace the source of those commands.

(Admittedly, the nuts and bolts of this begin to get beyond me.)

According to Cutler:

"The risk for the botnet creators is that if I were to capture one of these PCs that was infected and look at the code, I would be able to decipher where those instructions were coming from, and I could go upstream from there and shut down the whole network.

But they have a cellular structure to them. So the actual bot on the PC, it can look upstream to a number of places that can give it the instructions as to the next spam it's going to send out. Let's say it's grabbing that from a Web site in some Web hosting company in China. And it's been reliably doing that for a few days. If the Web hosting company in China discovers that one of the servers in its network has been compromised by one of these botnet management [groups], and the hosting company discovers this and shuts the server down, the botnet is smart enough to go find another source in order to continue doing its work. And it constantly updates the places it can go look, but it doesn't have the whole variety.

So apparently, the way the structure is built is that you could grab any one, or any 10, of these PCs that are part of the wider botnet, but you could never find all of the PCs and you could never find all of the command and controls upstream from them. So trying to shut down one of these botnets is amazingly hard. They're extremely fault tolerant."

Interestingly, the gravity of the spammers' control over the botnet situation and the possibility of unraveling or reversing that scheme was revealed by what was supposed to be a breakthrough in fighting spam.

(Granted, this is sort of speculative hearsay type talk, but think of it as a folk take if it helps you. It's illustrative of a more significant point.)

"I heard, and I don't remember where I heard it, there was a group of folks that was trying to unpack the botnet. And they were pretty excited about it. They thought they were going to figure it out. And when they peeled the onion back one more layer, they figured out that they weren't even close, and they're never going to be able to figure out how the botnet works.

And the group that had said that - this is a little while ago now - said the fact of the matter is, after our whole research project, we think the spammers are probably three to five years ahead of the anti-spammers.

And my personal view is that that's probably true."

According to the article:

"In November 2006, the last month for which data is available, the Anti-Phishing Working Group found 37,439 new sites, up an astounding 709 percent from the 4630 sites in November of 2005."

We've seen lots of news regarding the launch of extended validation certificates from the SSL certificate authorities, and the Web hosting businesses that sell their products.

Extended validation certificates, for the behind-the-SSL-times out there, are the result of a standard for improved validation developed collaboratively by certificate authorities in a group called the CA/Browser Forum.

According to VeriSign (one of the companies involved in developing the standard):

"To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practice and pass a Webtrust audit. The validation process requires the CA to authenticate the certificate applicant's domain ownership and organizational identity, as well as the individual approver's employment with the applicant, and authority to obtain the Extended Validation SSL Certificate."

At the beginning of this year, Web browsers including Internet Explorer 7 and Opera began offering support for the new standard, highlighting the address bars of validated sites in green.

Of course more validation is a good idea. And of course added validation will make certain specific phishing attacks ineffective and phisihing in general more difficult to pull off.

But how effective will EV certificates be in general?

A report cited in a ZDNet article, also posted this week, says that studies have shown that EV certificates may be limited in their effectiveness at the moment.

According to this article:

"According to a recent usability report released by Microsoft and Stanford University, new Internet security tools such as EV SSL certificates have limited potential to defend against fraud by identifying the source of content displayed on a Web browser."

Specifically, they rely on the user at least somewhat - to understand the certificates and their use. And without being educated on the operation of SSL certificates, a user might not be equipped to recognize an EV cert in action. And it seems to me, the kind of user that would be unaware of SSL technology is the same user that would probably be most likely to fall victim to a phishing scam in the first place.

It would also stand to reason that "extended validation" was made necessary in the first place because ordinary or standard validation was less than 100 percent effective in stopping sites from being spoofed.

Phishers are already in the business of identity theft and fraud. And underestimating their ability to commit fraud would be an obvious mistake. Whether they'll be able to defraud certificate authorities to acquire EV certs of their own, or find some other way around the technology is the question. I wouldn't be quick to bet against them.

I also spoke this week to Scott Cutler, executive VP at email and spam filtering firm AppRiver.

(I'll discuss the interview further in a separate blog post)

He had a lot of interesting things to say about the cat-and-mouse game that takes place between spammers (and phishers) and the companies that work to protect users from them.

But among the most interesting impressions I took away was the awareness that anti-spam operators have of the abilities of spammers to circumvent just about any barrier we can put in their path.

While it may have once seemed that the spam problem was on its way to being "solved," anti-spam operators these days are operating from the assumption that spammers already have their next step planned.

Spamming and phishing, while often part of the same package, are not the same thing. And a SSL certificate is, of course, a completely different style of defense from a black list. But it's often the same people on the other side of those defenses, and their resources are remarkable.

It may be that the question is not "how effective will extended validation certificates be?" but "how long will extended validation certificates be effective?"

Tags: extended validation ssl, phishing