Solving password problems one at a time, Re: The password-reset paradox
Ed Gerck
edgerck at nma.com
Mon Feb 23 20:23:33 EST 2009
silky wrote:
> On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck <edgerck at nma.com> wrote:
> [snip]
>
>> Thanks for the comment. The BofA SiteKey attack you mention does not work
>> for the web access scheme I mentioned because the usercode is private and
>> random with a very large search space, and is always sent after SSL starts
>> (hence, remains private).
>>
>
> This is meaningless. What attack is the 'usercode' trying to prevent?
> You said it's trying to authorise the site to the user. It doesn't do
> this, because a 3rd party site can take the usercode and send it to
> the 'real' site.
>
What usercode? The point you are missing is that there are 2^35 private
usercodes and you have no idea which one matches the email address that
you want to sent your phishing email to.
The other points, including the TLS SMTP login I mentioned, might be
clearer with an example. I'll be happy to provide you with a test account.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list