[Cryptography] So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Wed Feb 8 08:59:22 EST 2017


On 07-Feb-17 8:35 PM, Natanael wrote:
> Trusted interfaces is an old idea. You have at least that idea right.
>

7.1 April fool’s day at the BBC (in paper) is an example of trusted 
interface. So I know this concept.


> ...You need to users to be educated on how it works, and proactive. 
> ...... phishing proof authentication protocols ...........

I disagree. All that stuff is cool but we don’t need it. All that is 
needed is a TINY addition to TLS i.e. after the digital signature has 
been verified, your browser should show Fig 1. The human being then 
authenticates both the TLS identity and the fact that the entire window, 
Fig 1, has not been counterfeited. This is achieved by confirming that 
the picture is correct. We’re forcing the human being to (1) use TLS, 
(2) authenticate the identity in the TLS certificate and (3) make sure 
that the entire window, Fig 1, is not a counterfeit itself. This is 
achieved since Mallory would have to hack into your computer and steal 
the image, in order to counterfeit Fig 1. It’s subtle, but this is a 
very small change to TLS.

Web pages are so easy to counterfeit users should never be allowed to 
login via a regular web page. They should always use Fig 1. Fig 1 cannot 
be counterfeited without Mallory hacking into your computer.

>
> In your scheme (if I read it right), a user just have to be forgetful 
> once and it fails.
>

The picture will be the same for all websites it will be easy to 
remember by the user, and easy to spot when it’s different. So it's set 
for your browser, your user account. It will be the same for Facebook, 
gMail, Amazon etc. Otherwise the user just needs to know which website 
they were looking for and their username and password for that site i.e. 
the ONLY addition information, for my solution, is their user-browser 
secret and the names of a few certificate authorities.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/d16803a8/attachment.html>


More information about the cryptography mailing list