[Cryptography] Fwd: Re: [FORGED] Re: So please tell me. Why is my solution wrong?
Joseph Kilcullen
kilcullenj at gmail.com
Wed Feb 8 11:20:10 EST 2017
On 08-Feb-17 8:39 AM, Bill Cox wrote:
>
> Can you elaborate a bit on the research? Did it cover the case where
> the picture is stored on the client machine and the same picture is
> shown when logging into for all web sites?
You kinda have to read the entire paper up to the end of section 3, to
get the answer to this question.
In a nut shell: your web browser has two personalities, one friend, one
foe. The foe is when your browser creates a counterfeit website page.
The friend is when your browser does something that a remote website
cannot do i.e. access local data. For your browser to display local data
is classic cryptography! Local data are shared secrets. For your browser
to show you an image from the hard drive, an image that remote websites
cannot access, is your browser proving that you are NOT looking at a web
page created by Mallory, out there on the internet.
>
> I think a tool like that could be built as a browser plugin, and it
> could use some simple heuristics like Chrome does when it saves your
> passwords to figure out when a user is on a login page.
I would build it into the browser. I would let the website creator
decide when the window should appear.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/51ed6ab6/attachment.html>
More information about the cryptography
mailing list