[Cryptography] Phishing Attacks - Alice, HAL and Bob
Joseph Kilcullen
kilcullenj at gmail.com
Tue Jun 14 17:31:08 EDT 2016
I have an academic paper on Phishing attacks at
http://arxiv.org/abs/1511.03894 or
http://arxiv.org/pdf/1511.03894v2.pdf. I'm looking for feedback.
The paper argues that Phishing attacks are a basic cryptography protocol
failure i.e. instead of
Alice = Web browser = A Machine
Bob = The Web Server = A Machine
It should be three actors i.e.
Alice = The Human Being = A Human
HAL = Web browser = A Machine
Bob = The Web Server = A Machine
After that it’s a standard solution i.e. Alice and HAL must share a
secret. After HAL has verified Bob's TLS Certificate he presents the,
now verified, identity data together with the Alice-HAL shared secret.
Alice must authenticate both HAL and Bob simultaneously i.e.
authenticate both the Alice-HAL shared secret and Bob’s identity.
Basically Alice (Human) must authenticate her web browser and the
identity specified in the TLS Certificate. The idea is that Mallory
cannot counterfeit the shared secret without hacking into thousands of
computers. A far cry from a basic phishing attack.
Also if the paper interests you, there is
http://thefutureisbright.net/fsc/ and
https://www.youtube.com/watch?v=O5B5SKoIgAo which were used to write
the paper.
More information about the cryptography
mailing list