[Cryptography] Toxic Combination
Guido Witmond
guido at witmond.nl
Sun Nov 30 16:55:31 EST 2014
Dear list members,
I'm starting to consider the combination of current best practice with
server certificates and password to be a Toxic Combination.
The general issue is twofold:
People need to validate the authenticity of a site before typing in
their password;
The password gets transmitted to the other party.
Most people assume that if it looks like their bank and the address bar
is green then it should be safe. Regrettably, it’s not. Criminals obtain
valid certificates using stolen creditcards and passports. The true
method for authenticating a site requires verification of server
certificate fingerprints. And if you don’t know what that means, you
have to spot the spelling errors, the differences in layout and other
mistakes to detect the scammers. Good luck!
The second part is just as problematic: The password must remain secret,
yet it must be transmitted to the other side to log in.
This is the Toxic Combination. One failure to detect a scammer’s site
and the password is compromised. The scammers can do everything that you
can do with the password.
[promo]
For more information, please see:
http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
http://eccentric-authentication.org/Usable-Security.pdf
[/promo]
Regards, Guido Witmond.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141130/c87ef083/attachment.sig>
More information about the cryptography
mailing list