[Cryptography] So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Fri Feb 10 05:25:42 EST 2017


On 09-Feb-17 8:32 PM, Natanael wrote:
> Problems:
>
> 1a) Many businesses have no canonical / one ........
> 1b) Relevant to the one above, many businesses have old legal names 
> fro.........
> 1c) Phonetically similar names, usage of visually similar char.......

Yes, excellent. I did not document it but the identities inside TLS 
certificates are de facto world wide trademarks. There are huge issues 
here. I figured all those issues would present themselves once the 
public are actually forced to examine the identities inside TLS 
certificates. So I figured I would push this solution first. That all 
these issues would become apparent once the public actually started 
looking at the TLS identities. Right now they never look at them, they 
just look for a padlock symbol.

>
> 2) You need one image per site. It just doesn't scale. The average 
> person have ~50 logins, IIRC. You also need to sync them between 
> devices, which is just more attack surface.

Nope, its one image per account per computer. So you set it up when you 
buy a new computer. You would only need to change it when you get a 
virus on you computer. You can NEVER share this image across the 
network. Once you do MITM attacks will grab it.

> And instead of images, just use a color scheme the phisher can't 
> guess...........

** Your browser is an agent in the cryptography protocol. Therefore it 
must authenticate itself by presenting a shard secret. Otherwise Mallory 
will fake your browser i.e. phishing attack. The shared secret can be 
anything. It could be a colour scheme, a picture, a sound anything. So 
long as your browser authenticates itself by: doing something a remote 
website cannot! ** For example:

-tell your user how many times you have accessed this site
-display a unique colour scheme
- your suggestion, a custom keyboard shortcut

* Its an entire category of possibilities. See list item number 4 on 
page 3 of the paper. (https://arxiv.org/pdf/1511.03894.pdf)
Also, see '7.1 April fool’s day at the BBC' on page 14 of the paper.

>
> Also note that technically EV certificates does what you ask for. Kind 
> of. Because of reasons 1a-d above, it still isn't what you want.

Kinda but I don't think they have it entirely. I'm kinda bullying the 
user into using fig 1 as a login window. Then they can't miss the 
signals being sent by their browser. Fig 1 is a 'bit in your face' 
compared to a green address bar.

Also full screen counterfeiting is kinda scary. It can counterfeit 
almost anything. Video here: 
https://www.youtube.com/watch?v=O5B5SKoIgAo  or go to 
http://thefutureisbright.net/fsc/







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170210/909e1804/attachment.html>


More information about the cryptography mailing list