[Cryptography] So please tell me. Why is my solution wrong?

Thu Feb 9 15:32:29 EST 2017

Problems:

1a) Many businesses have no canonical / one single true business name.
They just have brands, or sometimes only individual products. They could be
owned by a single random person somewhere, be owned by a holding company or
be managed by some intermediate that the business owner has outsourced most
of the operations to.

1b) Relevant to the one above, many businesses have old legal names from
prior to rebranding, or there may even be multiple business *in the same
country* with identical names, located in different counties / states /
local jurisdictions. Clusters of businesses that collaborate can also have
confusing legal names. Mergers and splits just make things worse.

1c) Phonetically similar names, usage of visually similar characters, etc,
can break it too. You can never stop phishing only by relying on names. And
it is just too easy to get a CA to sign off on a name that can fool users.

1d) Even if it was practical, it means no businesses can share a domain
name (and thus share certificates). Even if they use different subdomains.
So users need to know who their host is. But hosts can change too!

2) You need one image per site. It just doesn't scale. The average person
have ~50 logins, IIRC. You also need to sync them between devices, which is
just more attack surface.

3) In case of failure, the phisher still gets the password.

If you're going to modify how TLS is used, just to with the U2F style
phishing resistant solutions where the password never is sent to the
server. Or SRP protocols. Because this solution doesn't require CA:s to do
even more than before, is more robust, and is actually useful.

And instead of images, just use a color scheme the phisher can't guess. You
only need one per user for a browser. Can be shared across all devices of
that user.
If you don't need to tell sites apart because your authentication proof
isn't reusable, then you only need one (1) secret shared with your browser
(assuming an attacker that only wants your credentials - impersonation
leading to the user divulging secrets remains a risk).

And as I also said before, a trusted keyboard shortcut to open the password
prompt is probably also one of the most effective protections possible
(relying on muscle memory as a phishing defense!).

Also note that technically EV certificates does what you ask for. Kind of.
Because of reasons 1a-d above, it still isn't what you want.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170209/13f1ee68/attachment.html>