[Cryptography] Fwd: Re: [FORGED] Re: So please tell me. Why is my solution wrong?

[Joseph Kilcullen]

On 08-Feb-17 8:39 AM, Bill Cox wrote:
>
> Can you elaborate a bit on the research?  Did it cover the case where 
> the picture is stored on the client machine and the same picture is 
> shown when logging into for all web sites?

You kinda have to read the entire paper up to the end of section 3, to 
get the answer to this question.

In a nut shell: your web browser has two personalities, one friend, one 
foe. The foe is when your browser creates a counterfeit website page. 
The friend is when your browser does something that a remote website 
cannot do i.e. access local data. For your browser to display local data 
is classic cryptography! Local data are shared secrets. For your browser 
to show you an image from the hard drive, an image that remote websites 
cannot access, is your browser proving that you are NOT looking at a web 
page created by Mallory, out there on the internet.

>
> I think a tool like that could be built as a browser plugin, and it 
> could use some simple heuristics like Chrome does when it saves your 
> passwords to figure out when a user is on a login page.


I would build it into the browser. I would let the website creator 
decide when the window should appear.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/51ed6ab6/attachment.html>