Dutch Transport Card Broken
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 1 15:28:57 EST 2008
On Fri, Feb 01, 2008 at 07:58:16PM +0000, Steven M. Bellovin wrote:
> On Fri, 01 Feb 2008 13:29:52 +1300
> pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:
> > (Anyone have any clout with Firefox or MS? Without significant
> > browser support it's hard to get any traction, but the browser
> > vendors are too busy chasing phantoms like EV certs).
> >
> The big issue is prompting the user for a password in a way that no one
> will confuse with a web site doing so. Given all the effort that's
> been put into making Javascript more and more powerful, and given
> things like picture-in-picture attacks, I'm not optimistic. It might
> have been the right thing, once upon a time, but the horse may be too
> far out of the barn by now to make it worthwhile closing the barn door.
And on top of that web site designers don't want browser dialogs for
HTTP/TLS authentication.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list