[Cryptography] So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Wed Feb 8 13:06:27 EST 2017 

On 08-Feb-17 5:32 PM, Salz, Rich wrote:
> You didn't answer my second question.  Much phishing happens when the DNS name isn't really what the user expects.  How do you solve this?

The name Bob in Fig 1 comes from the TLS certificate. Hence its up to 
the Certificate Authority to have the correct name for Bob. Many 
existing sites have dumb entries inside their TLS certificates e.g. 
Ulster Bank in Ireland is 'The Royal Bank of Scotland Group Plc' within 
its TLS certificate. Once the solution is in use businesses will get 
their act together and put better names inside their certificates.

>
> What, really, do you provide above "just use TLS"?
>

Cool question. The whole point is that TLS fails in one TINY area. To 
protect usernames and passwords the identity of the remote website MUST 
be authenticated. My research indicates an un-counterfeitable login 
screen is needed. Full screen counterfeiting indicates anything can be 
counterfeited except classic cryptography shared secrets! This is why 
I'm saying the solution is primary school. Its classic cryptography. A 
login screen created by the browser cannot be counterfeited if it 
displays a picture from the hard disk which remote websites cannot 
access. To counterfeit such a login screen the phishers must hack into 
thousands of computers, not just blanket bomb thousands of email 
addresses with a 'look-a-like' website link. After that we just (1) only 
display the login screen on receipt of a valid TLS certificate. And (2) 
show the user the identity credentials inside the TLS certificate.

I'm saying TLS is cool! A TLS Certificate is equivalent to a passport 
i.e. an identity card for the internet. We just have to force people to 
use it. In Fig 1 Bob, Trent and Bob's website address all come from the 
TLS certificate. Without the user-browser shared secret Fig 1 would be 
easy to counterfeit. With the secret the phishers must hack into my 
computer to fool me! And that's not phishing anymore, that's a different 
problem.

>>
>>> And please try to do so without insults.
>>>
>> Apologies for the insults, they seemed to be the only way to get people
>> talking about this work.

More information about the cryptography mailing list