WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Proposal to anti-phishing

From: Michael Silk <michaelsilk () gmail com>
Date: Tue, 18 Jan 2005 23:44:15 -0800
Rogan,


The only possible attack against SSL client certs is against the
"re-issue" process, I think, and there again, the bank has control. The
way I see it, the phisher could try to get the user to "renew" their
cert, by providing some authenticating information that the phisher
could try to use to get a new cert from the bank. But, the key here is
"from the BANK".


 Could even be as simple as presenting a message such as:

 "Our cert system is down, please enter your phone banking details
here to gain access".

 Another issue with SSL client certs (please correct me if i'm wrong)
is that it's basically sitting on the computer 24/7. If you can gain
access to the machine it's on you (Joe hacker..) can then take it and
use it elsewhere.

 And laptops that are used by multiple employee's or family members,
or robbers.. ?

 And on this note, it would mean it's fairly difficult for a user to
use their banking from work and home with this setup, isn't it ?

-- Michael
Previous By Date Next
Previous By Thread Next

Current thread: