[Cryptography] Phishing Attacks - Alice, HAL and Bob

Joseph Kilcullen kilcullenj at gmail.com
Tue Jun 14 17:31:08 EDT 2016

I have an academic paper on Phishing attacks at 
http://arxiv.org/abs/1511.03894 or 
http://arxiv.org/pdf/1511.03894v2.pdf. I'm looking for feedback.

The paper argues that Phishing attacks are a basic cryptography protocol 
failure i.e. instead of

    Alice = Web browser    = A Machine
    Bob   = The Web Server = A Machine

It should be three actors i.e.

    Alice = The Human Being = A Human
    HAL   = Web browser     = A Machine
    Bob   = The Web Server  = A Machine

After that it’s a standard solution i.e. Alice and HAL must share a 
secret. After HAL has verified Bob's TLS Certificate he presents the, 
now verified, identity data together with the Alice-HAL shared secret. 
Alice must authenticate both HAL and Bob simultaneously i.e. 
authenticate both the Alice-HAL shared secret and Bob’s identity. 
Basically Alice (Human) must authenticate her web browser and the 
identity specified in the TLS Certificate. The idea is that Mallory 
cannot counterfeit the shared secret without hacking into thousands of 
computers. A far cry from a basic phishing attack.

Also if the paper interests you, there is 
http://thefutureisbright.net/fsc/   and 
https://www.youtube.com/watch?v=O5B5SKoIgAo  which were used to write 
the paper.

More information about the cryptography mailing list