[Cryptography] Fwd: Re: So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Wed Feb 8 11:18:27 EST 2017


On 08-Feb-17 2:23 AM, Salz, Rich wrote:
> Your solution to what?  I tried to read your paper and could not understand what you are trying to solve.
>   Are you claiming that you solved the problem of user's not realizing that F1delity.com is not fidelity.com?

Phishing attacks! Web browsers are so versatile they can counterfeit
anything.

Line taken from the abstract: 'In full screen mode browsers can
counterfeit almost anything, including BSOD, formatting the hard drive
and fake login screens. I found one category of behaviour which could
not be counterfeited by a remote website.' That one category is list
item number 4 on page 3 of the paper i.e. secrets shared between the
'human computer user' and their own browser. This is classic
cryptography, a shared secret.

Phishing attacks bypass TLS entirely because (1) TLS does not force the
authentication of Bob. And (2) even if it did, phishers would proceed to
counterfeit that authentication process. Hence my stone-age-man solution
is a shared secret! Mallory cannot counterfeit Fig 1 without hacking
into you computer, and that's not a phishing attack anymore, that's
something else.

My solution: (1) force the use of TLS by using Fig 1 for all logins (2)
force the user to confirm that the login window was created by their own
web browser. That it is not a web page itself. And (3) force the human
to authenticate the identity credential in the TLS certificate.

> And please try to do so without insults.
>

Apologies for the insults, they seemed to be the only way to get people
talking about this work.



More information about the cryptography mailing list