Dutch Transport Card Broken
James A. Donald
jamesd at echeque.com
Sun Feb 10 04:23:59 EST 2008
Steven M. Bellovin wrote:
> There's another issue: initial account setup. [Even
> with SRP] people will still need to rely on
> certificate-checking for that. It's a real problem at
> some hotspots, where Evil Twin attacks are easy and
> lots of casual users are signing up for the first
> time.
For banks and health care, initial account setup always
involves out of band communication, so certificate
checking not needed.
We need to build our security mechanisms to fit
characteristic human out of band security, rather than
trying to force humans to imitate computers.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list