Security through kittens, was Solving password problems
RL 'Bob' Morgan
rlmorgan at washington.edu
Tue Feb 24 20:17:49 EST 2009
> Clever though this scheme is, man-in-the middle attacks make it no
> better than a plain SSL login screen. Since the bad guy knows what site
> you're trying to reach, he can use your usercode to fetch the shared
> secret from the real site and present it to you on his fake site. It's
> true, the fake site won't have the same URL as the real site, but if the
> security of this scheme still depends on people scrutinizing the
> browser's address bar to be sure they're visiting the site they think
> they are, how is this any better than an ordinary kitten-free SSL login
> screen?
If there is actual security value in it (as opposed to security theater)
presumably it is that the MITM has to interact with the bank site to
present the username and fetch the image in order to complete the phish.
The bank site would monitor for a client address that makes multiple
requests with different usernames and shut off its access quickly. The
MITM could of course get around this by using multiple client addresses to
make these requests, but this raises the bar for an effective MITM. Does
it raise it enough to justify the cost of deploying these schemes?
Apparently the banks think so, or they're doing them for some other reason
(theater, peer pressure, whatever).
- RL "Bob"
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list