It's even more complex because Banks (and other organizations) outsource marketing and other functions to 3rd parties. In many cases it is hard to match up the brand with the Mail From domain with the From domain. To make it even worse there may be "legitimate" links to yet other domains (for example surveys). I don't think the average email user could follow the logic (assuming they are willing to even try) and determine the risk without falling on the floor in convulsions.

I agree that the registrar race to the bottom was an unfortunate mistake, but I don't see any realistic hope of putting that genie back in the bottle and getting registrars to know their customers. Partly that's because of ICANN's institutional ineffectiveness, partly it's because of the small but very vocal anonymity absolutist lobby who are defending the rights of what appears to be an entirely hypothetical set of people who desperately need anonymous domain registration but seem OK with the lack of anonymous versions of everything else you need to work online.

Please assume that I was making two separate suggestions. One is the one you identified -- getting registrars to take at least some responsibility for authenticating their customers. In principle, that actually should be possible: ICANN has contracts with registrars, a mandate to ensure accurate contact information, and big claims that they are committed to Internet security (or at least big budget -- we were told last week that 20% of their impressive total budget goes into security). In practice, they could presumably make such a change only bottom-up. And "bottom-up", in this case, would require the approval of the registrars --including the bottom-feeders whose business models depend on these problematic behaviors. Calling that "institutional ineffectiveness" rather understates the problem, but that aspect of the problem isn't going to get fixed with ICANN as we know it. But the other part of the suggestion depends on the observation that I've never heard even the folks you characterize as "anonymity absolutists" make a serious claim that I should be able to run a business that offers things for sale to others, take their money and/or ask them for personally-identifiable information to facilitate such a sale, _and_ be anonymous. Asking a registrar to not accept registrations with hidden identity information, and insisting that "whois" records not point to hidden identity information, without certification from the registrant that they are not using that domain to conduct business, is a rather different situation from asking the registrar to actually authenticate the registrants or from cutting off individual-use anonymous registrations. That wouldn't prevent the bad guys from lying about their identities or contact information, but that act is generally considered to be criminal behavior if it is done in conjunction with, e.g., selling things or collecting funds. Today, registering in a way that keeps one's identity and contact information secret appears to be perfectly legal in most contexts. Forcing the bad guys to break existing and well-tested laws (not just fuzzy and weak anti-spam or hastily-written "cyber-something" statutes) seems to me to be A Good Thing. I'm pushing on this, not because I believe that VBR is a bad idea, but because the use of VBR as you have described it basically sets up yet another unrooted PKI. The model depends on trade associations or regulators certifying their members, which is fine, but there are lots of those. That means fairly large cert stores in your hypothetical mail client (I don't see that as a problem except for small portable devices, but there are a lot of those) but, more important, it means presenting end users with the equivalent of "the sender of this message has been vouched for by the 'Big Organization of Growing Ubiquitous Systems', do you want to accept the certificate?" messages. And we know exactly how typical end users respond to those messages and how far those arrangements get us. One could assume that BOGUS would never show up as a certifier/voucher or that no one would take them seriously, but, if the absence of VBR indications became significantly helpful in identifying phishers, that assumption would be inconsistent with our experience in the marketplace... with your observation about registrars rushing toward the bottom being part of that experience. And, of course, that assumes not only that the certification is done but that MUA implementers support yet-another message preference-determining or safety-indication system, a significant new one of which seems to appear every six or nine months. I'd like to see us pushing to see how existing mechanisms can be made effective, rather than deploying ever more mechanisms that will protect the more alert users for a while but that ultimately rest on mechanisms that have already proven to be largely ineffective in practice and at scale.

I've sat next to people from the EFF who say that anyone should be able to register a domain with no identification. They'd probably be OK with a promise from the anonymous registrants not to use their domain for business, but given that the bad guys already are breaking laws all over the place they'll just lie. A lot of security systems are designed on the implicit assumption that most people will behave themselves and the bad guys will be handled as exceptions. That's a poor assumption in a world where 95% of mail is spam, and the majority of domains are owned by speculators. If you can set up a domain in two minutes, but it takes two days to turn off a phish site (those are realistic numbers) there's no way to keep up with them. That's why I want a way to slow down creation of things that look like familiar businesses.

A lot of security systems have also been designed on the assumption that the bad guys are stupid and/or not particularly determined to accomplish their goals, i.e., that, if inconvenienced, they will move on to other careers or at least other neighborhoods. In recent years, those assumptions have been repeatedly demonstrated to be false in the spam case: receivers who are sophisticated manage to shift a higher percentage of the received spam (and phishing attacks) to those who don't, but the total amount sent just keeps going up. In that context, I'm concerned that your "branding" approach will be only a temporary, and then small, inconvenience to the bad guys. If the technique is even slightly effective, criminals will either find branding/vouching agents who will certify almost anyone (and specifically other criminals) for a small fee or who, possibly for other considerations, will certify first and collect credentials and fees later -- just as they have found DNS registrars who behave in the same ways. Or, if that does not work, they will set up their own, since there are no restrictions at all on setting up a branding organization with a fancy logo. They would not have even the barrier to get an ICANN registrar agreement or to work with someone who has one, a barrier that has shown no evidence of preventing bad behavior. In the process, you put another barrier in front of those who are trying to to create legitimate businesses on the Internet. That, in turn, tends to create more concentration of businesses (signing up with AmazHooBay stores permits one to use their branding and certificates rather than paying someone to issue a certificate to you directly and convincing them that you are authentic) and a new way to victimize the unwary (unless it is in a regulated industry, I'd expect legitimate certifiers to require background checks, bonds, etc., for new businesses -- maybe appropriate, but probably costly-- while less scrupulous ones would see a business opportunity for low-priced certification). That isn't desirable in this economy. It might be worthwhile if it would be significantly effective long-term, but I don't think the evidence points that way. Your bank analogy works as well as it does because it is a regulated industry with a well-known trade association/ regulator. Even then it doesn't work especially well because there are financial institutions not insured by the FDIC -- notably credit unions (even federally insured ones) in the US and all of the institutions outside the US. Put enough certifiers into the mix and we are back to where we started: certificate management overwhelms the typical user; those of us who can and do manage those things carefully and with a high degree of sophistication are better protected from a threat that is causing, at most, inconvenience today (i.e., the number of phishing attacks to which you or I fall victim does not go down at all); and those who less sophisticated about these things get to sift through an increasing number of logos and certificate assertions (or incur the machine overhead to do so), but are not incrementally protected at all.

You're quite right that yet another race to the bottom would be a poor idea. But I also don't think there's any need to brand all mail--it's only important for organizations that are likely to be phished. I also don't want to make the mistakes that people made with SSL. It is a strong countermeasure to a fairly exotic threat, snooping on traffic in transit, which was oversold to the point that everyone wanted an SSL cert because users thought it made a site "secure", but with no distinction among the signers. If branding is going to work, it needs strong brands, which means that MUAs have a small country-specific set of brands that are well known to the users. It's true the FDIC insures some banks and the NCUA insures others, but that doesn't mean they can't do a joint vouching service, perhaps with both logos or just the FDIC's better known one. This is a tough problem, but "call the cops if you see something illegal" is way too simple, and I can tell you from conversations with actual cops it's essential to winnow down the damage so they can concentrate their limited resources on the worst.

First, when you get an FDIC-NCUA alliance agreement to do this, and to do it with a logo arrangement that cannot be faked well enough to confuse the casual user by someone sending out HTML pages, please let us know. But, as I'm sure you are aware, NCUA charters only "Federal" Credit Unions, not the many state-chartered ones. I don't know whether their relationship with the state-chartered ones that they insure via NCUSIF would permit them to certify those organizations in this way, but I imagine it would be an interesting conversation. And, while they insure what their web site describes as a "substantial majority" of the state-chartered institutions (95% according to http://www.nascus.org/state-cu-facts.htm), that leaves somewhat over 285 institutions (including those in Puerto Rico) in US States and Territories with affiliations to neither FDIC nor NCUA/NCUSIF and for which one would have to start tracking down individual state regulators and getting them to play. Would be getting certification for only those that are members of FDIC or NCUA sufficient to make this worthwhile? Perhaps, but, of course, the first step for the bad guys would be to concentrate on those other institutions, possibly with Nigerian-like "we just found an inheritance from your long-lost great uncle... please send your personal credentials" notes. And this discussion is very US-centric. As a probably-relevant example, I don't know whether, in the EU, one certificate would be required or one per member state. If it is the latter, we would probably already be in the certificate overload area. So, again, my question isn't whether this is useful. It is whether it would actually solve a problem or merely cause the bad guys to quickly adjust their strategies and go back to business as usual. As far as the cops and the "worst damage" is concerned, what I hear from the "real cops" I talk with is that phishing stopped being a cottage industry a long time ago, with those who are unsophisticated and unmotivated long gone.