[Cryptography] [FORGED] Fwd: Re: [FORGED] Re: So please tell me. Why is my solution wrong?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Feb 8 22:07:27 EST 2017 

Joseph Kilcullen <kilcullenj at gmail.com> writes:

>Sure phishers could buy a TLS certificate but its up to the 
>certificate authorities not to sell certificates with fake 
>identities to criminals. And yes, I know this has happened. I 
>don't have the references to hand.

Phishing doesn't require a CA to sell fake certs, that's the whole point of
phishing.  As you say, you don't have references to hand, and that's one of
the two major problems with your entire paper, the only references in there
are some generic ones on phishing and several to patents, one of them yours,
presumably for the contents of the paper.  You seem to be completely unaware
not just of the large amount of existing work that's been done in this area,
but even the fact that it exists.  This is not a good sign.

The second problem is that anyone can come up with (what they think is) a
good idea for a security mechanism.  We get this on the list from time to
time, typically someone pops up with some new unbreakable military-grade
pseudo-one-time pad that they've just invented, and then defends it to the
death when knowledgeable cryptographers point out that it's not (a) new,
(b) good, or (c) secure.

Anyone can come up with some sort of auth mechanism that they think is cool.
Here's one, based on cat videos.  When you connect to a site, your browser
hashes the URL and uses the LSBs of the hash to select a cat video to play
to you.  Since a phishing site and the real site will produce different
hashes, you see different cat videos and so you'll know it's a phishing 
site.

Also, everyone loves cat videos.

There, a cool new foolproof auth technique, thought up on the spur of the
moment.  Patent application pending.

If you read all of the papers and reports that have looked at this sort 
of thing before you'll see they're all based on either real-world experience
or user studies.  Your paper contains no evidence of any evaluation of the
technique to determine whether it works.  All the evidence we have in this
area from prior work is that it doesn't.  If you're going to pitch your
technology to this crowd (or pretty much any crowd), you'll need to provide 
concrete evidence that it actually works in practice.

In the meantime, I'm putting my bets on cat videos.  They won't work any
better than anything else that's been tried, but at least you get to see
some cute kittens.

Peter.

More information about the cryptography mailing list