[Cryptography] [FORGED] Fwd: Re: [FORGED] Re: So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Thu Feb 9 14:23:59 EST 2017


On 09-Feb-17 3:07 AM, Peter Gutmann wrote:
>
> Phishing doesn't require a CA to sell fake certs, that's the whole point of
> phishing.
Correct. That's why we should force the phishers into the TLS world. Fig 
1 is created by your browser on verification of a TLS certificate's 
digital signature. By using it we are forcing the phishers to either (a) 
counterfeit fig 1 without TLS, or (b) get them to buy/create a TLS 
certificate of their own. (a) will fail unless they hack into each 
person's computer. And that's not phishing. (b) involves criminals 
either tricking a CA into giving them a false ID, in a TLS certificate. 
Or the criminals hacking a CA.


>    As you say, you don't have references to hand,
i.e. references to CA being hacked and/or selling certificates to 
criminals by accident. Just google 'certificate authority hacked' and 
'certificate authority accidentally sells to criminals'

> and that's one of
> the two major problems with your entire paper, the only references in there
> are some generic ones on phishing and several to patents, one of them yours.......

So anyway.... Full screen counterfeiting can counterfeit almost 
anything. The only thing that cannot be counterfeited by it, are secrets 
shared between the computer user and their own web browser. To 
counterfeit them the phisher must hack into your computer. So you don't 
need references to tell people about shared secrets, they must be around 
since the stone age.

> ...... If you're going to pitch your
> technology to this crowd (or pretty much any crowd), you'll need to provide
> concrete evidence that it actually works in practice.
That's just it. You people know about TLS, digital signatures, shared 
secrets etc. etc. In my opinion once you guys see that a basic shared 
secret prevents a login screen from being faked, that you guys will 
'get' this solution. I believe (perhaps I'm wrong) that once your web 
browser is identified as an actor and forced to authenticate itself that 
that solves phishing.

Cool, thanks for your feedback.
Joseph





More information about the cryptography mailing list