WebApp Sec mailing list archives

Re: Article - A solution to phishing

From: Michael Silk <michaelsilk () gmail com>
Date: Sun, 28 Nov 2004 09:05:05 +1100

Hmm,

 Well that seems far easier then, doesn't it :)

 So all the user would need to do is install this certificate on their
computer and then they would login with a username and password as
normal.

 To clarify one thing, however.

 Would this leave the system open to a Man-In-The-Middle attack ? I'll
admit I'm not very familiar with using a private key to authenticate
formally but I assume it's something like:

1) Site generates random number, encrypts.
2) Site: please decryptthis number.
3) You: Okay, it's "135".
4) Site: Yes, that's what we sent you.
-- Authenticated --

 Assuming it is this system (and even if it isn't the site will need
to be passed the information required to login somehow) couldn't the
site then relay the connection on to the real bank ?

 If we used the email system you can't have this form of attack
because the bank provides you the correct link AND the correct
password; without the correct password the rest of the information you
could provide to the phisher is virtually useless.

-- Michael


On Sat, 27 Nov 2004 10:18:58 -0600, lists () dawes za net
<lists () dawes za net> wrote:

Quoting Michael Silk <michaelsilk () gmail com>:

Hi Christopher,

      Thanks for your feedback, let me address it.

      First let me say that many people have raised
      the issue (privately) of unecrypted emails not
      being good enough - and they have a point. So
      from now onwards let us assume that public
      key/private key exchange system is used to
      communicate the emails such that:


And if they are using a public key system, why would you bother with email then?
Just make them use the private key to authenticate to the website. There is
STILL no opportunity for phishing, as the user never types in any details. They
simply authenticate the SSL session using the cert, and there are no further
opportunities for information theft.

Sounds to me like you just want to use email in there somewhere! ;-)

Rogan

Current thread:

Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
  - RE: Article - A solution to phishing lists (Nov 27)
    - Re: Article - A solution to phishing Joseph Miller (Nov 29)
    - Re: Article - A solution to phishing Michael Silk (Nov 29)
    - Re: Article - A solution to phishing Rogan Dawes (Nov 30)
    - Re: Article - A solution to phishing Adam Shostack (Dec 01)
    - Re: Article - A solution to phishing Rogan Dawes (Dec 03)
  - Message not available
    - Re: Article - A solution to phishing Michael Silk (Dec 14)
    - Re: Article - A solution to phishing Adam Tuliper (Dec 15)
    - Re: Article - A solution to phishing Ian (Dec 16)
    - Re: Article - A solution to phishing exon (Dec 20)
    - Re: Article - A solution to phishing Joseph Miller (Dec 20)
    - Re: Article - A solution to phishing exon (Dec 22)
    - Re: Article - A solution to phishing Rogan Dawes (Dec 22)

(Thread continues...)