<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Feb 7, 2017 at 10:20 AM, Joseph Kilcullen <span dir="ltr"><<a href="mailto:kilcullenj@gmail.com" target="_blank">kilcullenj@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">This is a link to my original post back in June 2016. You people never told me why my solution is wrong.<br>
<br>
So please tell me. Why is my solution wrong?<br></blockquote><div><br></div><div><span style="font-size:12.8px">I suspect you would have done better to include the abstract.</span><br style="font-size:12.8px"><span style="font-size:12.8px">The limited context is an interesting focused and bounded problem. <br>Yes limited in ways </span><span style="font-size:12.8px">that make it easy to dismiss.<br></span><span style="font-size:12.8px">The first line of the abstract got my attention: </span></div><div><div style="font-size:12.8px"> "I researched the ability of browsers to counterfeit the behaviour of installed software." <br> ....See below for full abstract....<br><span style="font-size:12.8px">Comment:</span><br><div style="font-size:small"><span style="font-size:12.8px">Browser based interfaces are getting common </span><span style="font-size:12.8px">enough that understanding the details of this limited</span></div><div style="font-size:small"><span style="font-size:12.8px">case has value. One is understand what and how to constrain the feature set of browsers.</span></div></div><div style="font-size:12.8px">There are sites and users that work exclusively in a single application and they are easy to attack this way.<br>The application is loaded and the user logs in and out of the application not the system.<br>Should an attacker know a lot about a specific application (insider) and <div>the site itself an agent could do stuff to steal credentials. Some applications </div><div>have credential based privileges and a user at a low level could leave a live </div><div>imposter screen in an attempt to grab the password of a higher level.<br>A frustrated user attempting to log in might hit reset or never blink twice at a blue </div><div>screen of death. A binary could do more ... <br></div><div> </div><div>----<br>Abstract. I researched the ability of browsers to counterfeit the behaviour of installed software. In full screen mode browsers can counterfeit almost anything, including BSOD, formatting the hard drive and fake login screens. I found one category of behaviour which could not be counterfeited by a remote website. On examination every solution in that category was a secret known by the computer user and her browser. That is, remote websites cannot counterfeit what they do not know. Neither Bob nor Mallory know secrets shared between the computer user and her computer. This transformed game theory research into cryptography research. On successful verification of a TLS certificate’s digital signature the browser should present the ’user-browser’ shared secret together with the TLS certificate’s identity credentials. This allows the user to authenticate both her browser and the identity specified in the TLS certificate. Following these conclusions, an authentication mechanism for manufactured goods is presented. </div></div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Here's a link to the latest version of the paper: <a href="https://arxiv.org/abs/1511.03894" rel="noreferrer" target="_blank">https://arxiv.org/abs/1511.038<wbr>94</a></blockquote><div> </div></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>