man in the middle, SSL

Leichter, Jerry leichter_jerrold at
Tue Feb 6 10:06:42 EST 2007

| somewhat related 
| Study Finds Bank of America SiteKey is Flawed
Recall how SiteKey works:  When you register, you pick an image (from a
large collection) and a phrase.  Whenever you connect, the bank will
play back the image and phrase.  You aren't supposed to enter your
password until you see your own image and phrase.

The usability problem found in the study was that if you build a login
page with the image and phrase replaced by something else that seems to
go that - like a notification about a systems upgrade, or maybe an ad for
a bank service - most people (90%?) will just go ahead and enter their
password anyway.

Unfortunately, the "all ads all the time" nature of today's web sites
has conditioned people not to expect *anything* to remain constant.
We're used to judging the trustworthiness of those with interact with
in the real world by various invariant marks and other features.  If
you go to your bank and find the signs have all changed, you will at
the least be a bit suspicious.  At a web site - who would think twice?

SiteKey tries to use something that's invariant but unique to you.
That's a distinction people clearly don't make automatically.  Whether
with sufficient training and experience they will learn to do so
remains to be seen.  (BofA is very consistent in telling you *never*
to enter your password without first checking for your image and
phrase.  Clearly, though, it hasn't clicked for people.)

Of course, SiteKey isn't the full answer - if I know your login name,
I can try to log in to BofA and get a copy of your image and phrase.
What SiteKey at best prevents is broad-based non-personalized attacks.
Automating "skimming" of SiteKey information using some virus is a
plausible attack, and we'll see it eventually if it appears worth
someone's while.

Combined with some of the other reports coming out about the lack of
effectiveness of EV cert indicators (why *that* surprises anyone is
beyond me) and of pretty much every other technique that anyone has
proposed so far, it's clear that the battle against phishing is going
to be long and hard, and that victory is very far from clear.

In architecture, there is the notion of a building have "human scale".
Places built ignoring that notion feel overwhelming.  (Sometimes that's
the point, of course.)  The Internet, as it's evolved to this point,
clearly lacks "human scale".  People's intuitions quick responses, all
the things we've evolved and learned to deal with the real world, don't
match the world of the web.  Until we can figure out how to bring human
capabilities and limitations into the picture much more effectively and
thoroughly than we have so far, things are going to get much worse.

							-- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list