Comment by mullingitover
2 years ago
> Any replacement would have the same fraudulent traffic migrate to it.
We've had SSL on the web for 30 years now. We don't visit our bank's web site and wonder if we're really talking to our bank, but we casually accept that of course someone calling from our bank's phone number could be a fraudster. There might be some fraud that is able to migrate, but it wouldn't be the smorgasbord for fraudsters that the legacy phone system has created.
> eliminate many people's ability to access emergency services reliably
This is like saying that we can't put out the dumpster fire because it provides some people with warmth. The 911 system (at least in the US) is already a travesty. Caller locations are a crapshoot for wireless calls. Call centers aren't centralized, standardized, or coordinated, and they're overloaded. The technology is outdated. Moving it off the phone network and onto a centralized digital platform would be a massive improvement.
Right now it's easy for me to buy a look-alike domain name for a bank, host a page on that domain that looks like a bank's login page, and pass through to the real bank to take over someone's account in an automated fashion. TLS doesn't prevent me from doing that.
What TLS does do is ensure that when I communicate with a third party on the internet, that communication can't be intercepted by any intervening switches or routers. TLS per se does not have any other properties. However, we've constructed a system of chains of trust using TLS certificates and trusted third parties. That system is not a technical system and TLS does not have the innate property of enabling you to trust or not to trust someone.
It's an important distinction because the PSTN and our system of TLS Certificate Authorities is a social solution to a social problem. And so suggesting that TLS somehow magically has a property that it prevents fraud is hard for me to follow, because fraud is also a social problem and you can't use technology to solve social problems. Technology can be used to lubricate, to bring people together, and to ensure that conventions are followed and that peoples' solutions can interoperate. But the real innovation in TLS from a fraud perspective is actually the network of companies, nonprofits, third parties, and government agencies who have collectively established root Certificate Authorities and who have ensured that those CAs control who you trust. None of that is specified in any RFC. It's entirely something we humans made up after someone created an enabling technology.
As for problems with PSTN, there are similar technical solutions, but largely PSTN fraud and spam are a social problem and require social interventions. This is why we have the FCC in the US, for example, because when the scope of an intervention becomes large enough it has to be administered by someone. When you say PSTN doesn't work because of fraud and spam, in my mind what you're saying is that the FCC does not do enough to prevent fraud and spam.