HTTPS mutual authentication alpha release - please test
Nick Owen
nowen at wikidsystems.com
Thu Nov 3 14:07:35 EST 2005
>>>
>>>What threat is this supposed to defend against? Is it phishing? I
>>>don't see how it will help, if the bogus site has a valid certificate.
>>
>>Yes, phishing. The token client isn't checking to see if the cert is
>>valid, it's only checking to see if it's the same as the one that is on
>>the WiKID authentication server. The cert doesn't have to be valid or
>>have the root CA in the browser.
>
>
> But this would only help in the case that an old URL is used and a new
> certificate appears, right? That's what would be necessary to get a
> match in your database, pull down an old certificate, and find that it
> doesn't match the new certificate.
The token client has the true URL as well, so the traditional phish of
sending users to the wrong site shouldn't work either. The user would
have to ignore the launched browser and use the fake site.
>
> Phishers don't do this. They don't send people to legitimate URLs
> while somehow contriving to substitute their own bogus certificates.
> They send people to wrong URLs that may have perfectly valid
> certificates issued for them. I don't see how your system defends
> against what phishers actually do.
They do this too by attacking DNS servers with cache poisoning. In this
case the token client will not be able to validate the certificate.
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
Now open source: http://sourceforge.net/projects/wikid-twofactor/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list