[Cryptography] So please tell me. Why is my solution wrong?
Joseph Kilcullen
kilcullenj at gmail.com
Wed Feb 8 11:23:09 EST 2017
On 08-Feb-17 3:40 PM, Theodore Ts'o wrote:
>
> My bank is doing that already, and has been doing it for, oh, two or
> three years? So it's hardly a new or novel technique.
>
> - Ted
Nope, they have'nt. It's not SiteKey. This is different.
A phisher cannot counterfeit fig 1 without hacking into people's home
computers. Remote websites cannot access you hard disk. However
installed software, like your web browser can. Hence a browser which
displays information which remote websites cannot display is
demonstrating that Fig 1 has been created by your web browser, not by a
remote phishing website.
This solution is not SiteKey. Its getting your browser to force you to
use TLS and all the cool identity authentication stuff already there,
like certificate authorities etc.
See fig 9 on page 9 of the paper. You web browser is an actor in the
cryptography protocol! Hence your web browser must authenticate itself!
After the browser verifies the TLS's digital signature, the browser
presents fig 1. The human looks at fig 1 and implicitly authenticates
BOTH 'her browser' and the TLS identity, by entering her login
credentials. The picture is stored locally.
More information about the cryptography
mailing list