[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?
James A. Donald
jamesd at echeque.com
Wed Feb 8 19:28:12 EST 2017
On 2/8/2017 7:24 PM, Peter Gutmann wrote:
> tl;dr: Site images are yet another example of the Simon Says problem applied
> to security, you have to notice the absence of a stimulus to realise that the
> security isn't present. Most site images can be defeated simply by omitting
> them, or if you're really keen, displaying a broken-image-link image or text
> saying that the security on the site is being upgraded and images will return
> presently.
Suppose we bring up a local background screen, and display the UI
directly on that background, no windows, just old fashioned text on the
monitor.
And this UI is the interface to a zero knowledge password proof, where
both parties prove knowledge of the password without giving it away.
If the phisher brings up the true password UI, which he can perfectly
easily do, he does not gain anything.
If he brings up a different UI - well, the UI is necessarily
dramatically different, being windowed and all that.
Will it work? To answer that question, hold down the Ctrl and alt keys,
and press the del key. Now imagine that with a background image unique
to each person's computer. Hell, imagine that even with the standard
blue background. It would still work.
More information about the cryptography
mailing list