<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09-Feb-17 8:32 PM, Natanael wrote:<br>
</div>
<blockquote
cite="mid:CAAt2M18TnKyLUL082VbzDUo2TGGuKPv7ecH3DAYTKWFOkyqxMQ@mail.gmail.com"
type="cite">
<div dir="auto">
<div>
<div class="gmail_extra">Problems:</div>
</div>
<div class="gmail_extra" dir="auto"><br>
</div>
<div class="gmail_extra" dir="auto">1a) Many businesses have no
canonical / one ........<br>
</div>
<div class="gmail_extra" dir="auto">1b) Relevant to the one
above, many businesses have old legal names fro.........</div>
<div class="gmail_extra" dir="auto">1c) Phonetically similar
names, usage of visually similar char.......</div>
</div>
</blockquote>
<br>
Yes, excellent. I did not document it but the identities inside TLS
certificates are de facto world wide trademarks. There are huge
issues here. I figured all those issues would present themselves
once the public are actually forced to examine the identities inside
TLS certificates. So I figured I would push this solution first.
That all these issues would become apparent once the public actually
started looking at the TLS identities. Right now they never look at
them, they just look for a padlock symbol.<br>
<br>
<blockquote
cite="mid:CAAt2M18TnKyLUL082VbzDUo2TGGuKPv7ecH3DAYTKWFOkyqxMQ@mail.gmail.com"
type="cite">
<div dir="auto"><br>
<div class="gmail_extra" dir="auto">2) You need one image per
site. It just doesn't scale. The average person have ~50
logins, IIRC. You also need to sync them between devices,
which is just more attack surface. <br>
</div>
</div>
</blockquote>
<br>
Nope, its one image per account per computer. So you set it up when
you buy a new computer. You would only need to change it when you
get a virus on you computer. You can NEVER share this image across
the network. Once you do MITM attacks will grab it.<br>
<br>
<blockquote
cite="mid:CAAt2M18TnKyLUL082VbzDUo2TGGuKPv7ecH3DAYTKWFOkyqxMQ@mail.gmail.com"
type="cite">
<div dir="auto">
<div class="gmail_extra" dir="auto">And instead of images, just
use a color scheme the phisher can't guess...........</div>
</div>
</blockquote>
<br>
** Your browser is an agent in the cryptography protocol. Therefore
it must authenticate itself by presenting a shard secret. Otherwise
Mallory will fake your browser i.e. phishing attack. The shared
secret can be anything. It could be a colour scheme, a picture, a
sound anything. So long as your browser authenticates itself by:
doing something a remote website cannot! ** For example:<br>
<br>
-tell your user how many times you have accessed this site<br>
-display a unique colour scheme<br>
- your suggestion, a custom keyboard shortcut<br>
<br>
* Its an entire category of possibilities. See list item number 4 on
page 3 of the paper. (<a class="moz-txt-link-freetext" href="https://arxiv.org/pdf/1511.03894.pdf">https://arxiv.org/pdf/1511.03894.pdf</a>)<br>
Also, see '7.1 April fool’s day at the BBC' on page 14 of the paper.<br>
<br>
<blockquote
cite="mid:CAAt2M18TnKyLUL082VbzDUo2TGGuKPv7ecH3DAYTKWFOkyqxMQ@mail.gmail.com"
type="cite">
<div dir="auto"><br>
<div class="gmail_extra" dir="auto">Also note that technically
EV certificates does what you ask for. Kind of. Because of
reasons 1a-d above, it still isn't what you want. </div>
</div>
</blockquote>
<p>Kinda but I don't think they have it entirely. I'm kinda bullying
the user into using fig 1 as a login window. Then they can't miss
the signals being sent by their browser. Fig 1 is a 'bit in your
face' compared to a green address bar.</p>
<p>Also full screen counterfeiting is kinda scary. It can
counterfeit almost anything. Video here:
<a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=O5B5SKoIgAo">https://www.youtube.com/watch?v=O5B5SKoIgAo</a> or go to
<a class="moz-txt-link-freetext" href="http://thefutureisbright.net/fsc/">http://thefutureisbright.net/fsc/</a><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>