Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
RE: Article - A solution to phishing Nov 26 2004 11:22AM
Michael Silk (michaelsilk gmail com) (1 replies)
RE: Article - A solution to phishing Nov 27 2004 04:18PM
lists dawes za net (4 replies)
Re: Article - A solution to phishing Nov 29 2004 01:50PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Article - A solution to phishing Nov 29 2004 01:50PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Article - A solution to phishing Nov 27 2004 10:05PM
Michael Silk (michaelsilk gmail com) (1 replies)
Hmm,

Well that seems far easier then, doesn't it :)

So all the user would need to do is install this certificate on their
computer and then they would login with a username and password as
normal.

To clarify one thing, however.

Would this leave the system open to a Man-In-The-Middle attack ? I'll
admit I'm not very familiar with using a private key to authenticate
formally but I assume it's something like:

1) Site generates random number, encrypts.
2) Site: please decryptthis number.
3) You: Okay, it's "135".
4) Site: Yes, that's what we sent you.
-- Authenticated --

Assuming it is this system (and even if it isn't the site will need
to be passed the information required to login somehow) couldn't the
site then relay the connection on to the real bank ?

If we used the email system you can't have this form of attack
because the bank provides you the correct link AND the correct
password; without the correct password the rest of the information you
could provide to the phisher is virtually useless.

-- Michael

On Sat, 27 Nov 2004 10:18:58 -0600, lists (at) dawes.za (dot) net [email concealed]
<lists (at) dawes.za (dot) net [email concealed]> wrote:
> Quoting Michael Silk <michaelsilk (at) gmail (dot) com [email concealed]>:
>
>
>
> > Hi Christopher,
> >
> > Thanks for your feedback, let me address it.
> >
> > First let me say that many people have raised
> > the issue (privately) of unecrypted emails not
> > being good enough - and they have a point. So
> > from now onwards let us assume that public
> > key/private key exchange system is used to
> > communicate the emails such that:
> >
>
> And if they are using a public key system, why would you bother with email then?
> Just make them use the private key to authenticate to the website. There is
> STILL no opportunity for phishing, as the user never types in any details. They
> simply authenticate the SSL session using the cert, and there are no further
> opportunities for information theft.
>
> Sounds to me like you just want to use email in there somewhere! ;-)
>
> Rogan
>

[ reply ]
Re: Article - A solution to phishing Nov 30 2004 07:22AM
Rogan Dawes (discard dawes za net) (2 replies)
Re: Article - A solution to phishing Nov 30 2004 04:08PM
Adam Shostack (adam homeport org) (1 replies)
Re: Article - A solution to phishing Dec 03 2004 05:06PM
Rogan Dawes (discard dawes za net)
Re: Article - A solution to phishing Nov 30 2004 04:08PM
Adam Shostack (adam homeport org) (1 replies)
Re: Article - A solution to phishing Dec 03 2004 05:06PM
Rogan Dawes (discard dawes za net)
Re: Article - A solution to phishing Nov 27 2004 10:05PM
Michael Silk (michaelsilk gmail com) (1 replies)
Re: Article - A solution to phishing Nov 30 2004 07:22AM
Rogan Dawes (discard dawes za net) (2 replies)
Re: Article - A solution to phishing Nov 30 2004 04:08PM
Adam Shostack (adam homeport org) (1 replies)
Re: Article - A solution to phishing Dec 03 2004 05:06PM
Rogan Dawes (discard dawes za net)
Re: Article - A solution to phishing Nov 30 2004 04:08PM
Adam Shostack (adam homeport org) (1 replies)
Re: Article - A solution to phishing Dec 03 2004 05:06PM
Rogan Dawes (discard dawes za net)







 

Privacy Statement
Copyright 2009, SecurityFocus