[cryptography] SSL is not "broken by design"

James A. Donald jamesd at echeque.com
Mon Sep 19 18:18:19 EDT 2011


On 2011-09-20 6:48 AM, James A. Donald wrote:
> On 2011-09-20 5:16 AM, Nico Williams wrote:
>> As for out-of-band phishing, well, that's the hardest to protect
>> against for the simple reason that some phishing e-mail is always
>> bound to get through and prey on the elderly and naive. I'm not sure
>> what we can really do about this

Suppose that zero knowledge logon is widely implemented:

Suppose that shared secrets are normally entered in an application that
looks strikingly different from a normal web page. It has a colorful and
irregular non rectangular window that differs from one user to the next,
and it always positions itself an other windows so that it overlaps both
the web page, and the desktop or whatever non web apps happen to be
there. This deliberately different, since all normal overlaps are
rectangular.

The Phisher has to ask the victim to enter credentials in a non
standard, unusual manner, something noticeably different from what the
victim normally does, in an application that looks noticeably different
from the normal This will automatically trigger most people's reflexive
suspicion.



More information about the cryptography mailing list