<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 16-Feb-17 6:28 PM, Tom Mitchell
wrote:<br>
</div>
<blockquote
cite="mid:CAAMy4UR3bZAFxMWFhwD=pk3KPXP93wALyoqpam9G4QoWA-emYA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Feb 15, 2017 at 11:41 AM,
Joseph Kilcullen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:kilcullenj@gmail.com" target="_blank">kilcullenj@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Once you view the web browser as an actor in the
cryptography protocol everything else is classic
cryptography i.e. your browser must authenticate itself by
presenting a shared secret. That's it!</blockquote>
<br>
<div><br>
It still has value but is not sufficient. If local
javascript can see the local image then<br>
it can be stolen or used in place.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
An important point: Fig1 is NOT a web page! Sure the layout looks
like a web page but that's just modern interfaces for you. The whole
point is that you are talking to personality (A) when you are
looking at Fig1.<br>
<br>
<br>
----<br>
Taken from the paper:<br>
<br>
April fool’s day at the BBC<br>
---------------------------<br>
Consider the following: its April fool’s day and someone
at the BBC decides to play a joke on their viewers. They pick a
popular brand of television, counterfeit its setup menu and then
superimpose that image over the live television broadcast. Viewers
who own a different brand of television will be like a Bank of
Ireland customer receiving a Bank of America phishing email
i.e. they will know immediately that it’s a scam. However
viewers with the correct brand of television will think their
television is malfunctioning as it is presenting the setup menu no
matter what they do. To prevent this trick from working, viewers
must customise their setup menu. Doing so is creating a secret known
by their television and themselves, but not known by the BBC. This
is identical to the solution to phishing attacks i.e. Mallory cannot
counterfeit what Mallory does not know. It’s a viewer-television
secret just like our browser-user secret.<br>
<br>
Joseph<br>
</body>
</html>