WebApp Sec mailing list archives
RE: Proposal to anti-phishing
From: Michael Silk <michaelsilk () gmail com>
Date: Tue, 18 Jan 2005 23:44:15 -0800
Rogan,
The only possible attack against SSL client certs is against the "re-issue" process, I think, and there again, the bank has control. The way I see it, the phisher could try to get the user to "renew" their cert, by providing some authenticating information that the phisher could try to use to get a new cert from the bank. But, the key here is "from the BANK".
Could even be as simple as presenting a message such as: "Our cert system is down, please enter your phone banking details here to gain access". Another issue with SSL client certs (please correct me if i'm wrong) is that it's basically sitting on the computer 24/7. If you can gain access to the machine it's on you (Joe hacker..) can then take it and use it elsewhere. And laptops that are used by multiple employee's or family members, or robbers.. ? And on this note, it would mean it's fairly difficult for a user to use their banking from work and home with this setup, isn't it ? -- Michael
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
- Re: Proposal to anti-phishing Moksha Faced (Jan 27)
- Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
- Re: Proposal to anti-phishing Frank Knobbe (Jan 19)
- Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- RE: Proposal to anti-phishing ACMurray (Jan 15)
- RE: Proposal to anti-phishing Michael Silk (Jan 19)
- Re: Proposal to anti-phishing exon (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)