[Cryptography] Toxic Combination
Ben Laurie
benl at google.com
Thu Dec 11 06:41:24 EST 2014
On 9 December 2014 at 22:05, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Ben Laurie <benl at google.com> writes:
>
>>In any case, your position appears to be "you should implement this even
>>though I cannot point to a single example of how". Not tenable.
>
> Ian has already responded to this:
>
> As you yourself show below, asking for references is a setup for a
> knockdown.
>
> However, let's give this a go. I've collected them all in one place for
> convenience, see:
>
> http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf
>
> I count (well, Word counts) just under five hundred references for the
> "Passwords" chapter. Is that enough?
>
> Now you have to come back and say that that's way too many, and you want just
> one. So I go through them and find some representative paper and forward it
> to you. You glance through it and find some reason why it won't work ("it
> suggests using a 24-pixel menu bar but we only have 23 pixels available",
> something like that). So I go through and find another paper. You come back
> to me with some reason why it won't work. We continue this dance until I get
> tired of it and find something better to occupy my time.
>
> As Ian has said, this is a setup for a knockdown. It's like a religious
> fundamenatalist asking "Send me a reference proving to me that God doesn't
> exist", the outcome is a foregone conclusion, so the only winning move is not
> to play.
Look, if you don't want to admit you don't know how to do it, fine -
but don't try to blame me for that.
> In any case you have just under 500 references there, so you can't claim
> "cannot point to a single example" any more.
500 references that have something to do with passwords. So far I
haven't found any that discuss usable implementation of TLS-SRP or
TLS-PSK.
However, I do notice you claim to address at least some of the
usability problem yourself, pp 547-552. I hope I am mistaken, but I
couldn't find any evidence of secure usability testing in those pages.
Has there been any?
On p.552, for example, you have a diagram headed "Non-spoofable
password entry dialog". This makes me suspicious, because it is well
known that these dialogs are entirely spoofable.
> (Incidentally, how many references did you require for certificates being
> effective in protecting browsers from phishing?).
None, because, as you should well know (because we've discussed it
every time we've met for the last several years), I don't think
certificates are effective in protecting browsers from phishing (not
that browsers need protecting, users do, but I don't think they work
for that, either).
More information about the cryptography
mailing list