[Cryptography] So please tell me. Why is my solution wrong?
Joseph Kilcullen
kilcullenj at gmail.com
Wed Feb 8 08:59:22 EST 2017
On 07-Feb-17 8:35 PM, Natanael wrote:
> Trusted interfaces is an old idea. You have at least that idea right.
>
7.1 April fool’s day at the BBC (in paper) is an example of trusted
interface. So I know this concept.
> ...You need to users to be educated on how it works, and proactive.
> ...... phishing proof authentication protocols ...........
I disagree. All that stuff is cool but we don’t need it. All that is
needed is a TINY addition to TLS i.e. after the digital signature has
been verified, your browser should show Fig 1. The human being then
authenticates both the TLS identity and the fact that the entire window,
Fig 1, has not been counterfeited. This is achieved by confirming that
the picture is correct. We’re forcing the human being to (1) use TLS,
(2) authenticate the identity in the TLS certificate and (3) make sure
that the entire window, Fig 1, is not a counterfeit itself. This is
achieved since Mallory would have to hack into your computer and steal
the image, in order to counterfeit Fig 1. It’s subtle, but this is a
very small change to TLS.
Web pages are so easy to counterfeit users should never be allowed to
login via a regular web page. They should always use Fig 1. Fig 1 cannot
be counterfeited without Mallory hacking into your computer.
>
> In your scheme (if I read it right), a user just have to be forgetful
> once and it fails.
>
The picture will be the same for all websites it will be easy to
remember by the user, and easy to spot when it’s different. So it's set
for your browser, your user account. It will be the same for Facebook,
gMail, Amazon etc. Otherwise the user just needs to know which website
they were looking for and their username and password for that site i.e.
the ONLY addition information, for my solution, is their user-browser
secret and the names of a few certificate authorities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/d16803a8/attachment.html>
More information about the cryptography
mailing list