WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Rogan Dawes <discard () dawes za net>
Date: Fri, 03 Dec 2004 18:06:20 +0100
Adam Shostack wrote:
| No. The user would install the certificate on their computer, and they | would then not need a username and password at all (other than a | passphrase to protect the prvate key on their local machine - the | passphrase is never entered on a remote site, and the private key itself | is never sent of the machine anyway).| | Certificates are "the" solution to this problem.
| No, assuming the real bank is verifying the client certificate for all | connections. It is impossible (without breaking SSL) to perform man in | the middle attacks when both client and server are using certificates.Really? It is impossible to perform a MITM if both sides are validating the certificates. If you visit phisher.screwthemall.com and that site has a server cert signed by a CA installed in the browser, then phisher can just visit your bank, get the challenge bits, send them on to you, and then send your responses to your bank. (I think. Its still somewhat early, but I can't see why SSL would break in a user visible way here.)
I'm not entirely sure if you are agreeing or disagreeing with me here. Note that I said, if the connection is using mutually authenticated SSL (i.e. both client and server present certificates to each other), there is no way to MITM the connection, barring a cryptographic break of the SSL protocol itself.
For a detailed explanation, please see http://www.cgisecurity.com/owasp/html/ch07s04.html
The thing is, that if client certificates are used, nothing is ever typed into a site that a phisher could use to impersonate you. So, no phishing is possible.
Shoot, a client implementation that, like SSH, remembered the banks cert, rather than throwing away that information in favor of a CA signature would improve things. Adam
And what would happen when the cert is renewed, as they are/should be on an annual basis?
That is why the CA process was designed, to allow for this sort of thing.Nonetheless, I hear what you are saying. If the cert of a site that we have visited before changes, maybe a simple notification could be popped up. But then I question the value of this. What do we want the user to do? If this happens on a regular basis, with the various sites that they visit, they will simply learn to click OK.
And if they visit a phisher, who is using a different site name, with a different certificate, there will be nothing to compare with. This would only identify the case where a phisher has managed to obtain a CA-signed cert for the target server (www.mybank.com), managed to intercept your connection to the real mybank.com, and route it to their own servers.
If they have done that, there are bigger problems!!!! Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)
- Re: Article - A solution to phishing Ian (Dec 16)
- Re: Article - A solution to phishing exon (Dec 20)
- Re: Article - A solution to phishing Joseph Miller (Dec 20)
- Re: Article - A solution to phishing exon (Dec 22)
- Re: Article - A solution to phishing Rogan Dawes (Dec 22)
- RE: Article - A solution to phishing Mark Curphey (Nov 29)