[cryptography] SSL is not "broken by design"

Ben Laurie ben at links.org
Sat Sep 24 14:30:21 EDT 2011


On Sat, Sep 24, 2011 at 7:28 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Ben Laurie <ben at links.org> writes:
>
>>So how about telling us what page X says.
>
> There's no single page X, it starts at page X and goes on to page Y, where
> Y = X + 5-10.
>
> (I can send you a link in private if you want, but it's way too much to post
> here).

Yes, please.

>>So as to steal your password.
>
> Isn't that then a standard phishing site?  What's the new attack here, and why
> would it defeat the risk-based assessment?

I'm just saying I think its hard to detect when a password is being
asked for as part of the risk assessment.



More information about the cryptography mailing list