[Cryptography] So please tell me. Why is my solution wrong?
Joseph Kilcullen
kilcullenj at gmail.com
Fri Feb 10 05:25:42 EST 2017
On 09-Feb-17 8:32 PM, Natanael wrote:
> Problems:
>
> 1a) Many businesses have no canonical / one ........
> 1b) Relevant to the one above, many businesses have old legal names
> fro.........
> 1c) Phonetically similar names, usage of visually similar char.......
Yes, excellent. I did not document it but the identities inside TLS
certificates are de facto world wide trademarks. There are huge issues
here. I figured all those issues would present themselves once the
public are actually forced to examine the identities inside TLS
certificates. So I figured I would push this solution first. That all
these issues would become apparent once the public actually started
looking at the TLS identities. Right now they never look at them, they
just look for a padlock symbol.
>
> 2) You need one image per site. It just doesn't scale. The average
> person have ~50 logins, IIRC. You also need to sync them between
> devices, which is just more attack surface.
Nope, its one image per account per computer. So you set it up when you
buy a new computer. You would only need to change it when you get a
virus on you computer. You can NEVER share this image across the
network. Once you do MITM attacks will grab it.
> And instead of images, just use a color scheme the phisher can't
> guess...........
** Your browser is an agent in the cryptography protocol. Therefore it
must authenticate itself by presenting a shard secret. Otherwise Mallory
will fake your browser i.e. phishing attack. The shared secret can be
anything. It could be a colour scheme, a picture, a sound anything. So
long as your browser authenticates itself by: doing something a remote
website cannot! ** For example:
-tell your user how many times you have accessed this site
-display a unique colour scheme
- your suggestion, a custom keyboard shortcut
* Its an entire category of possibilities. See list item number 4 on
page 3 of the paper. (https://arxiv.org/pdf/1511.03894.pdf)
Also, see '7.1 April fool’s day at the BBC' on page 14 of the paper.
>
> Also note that technically EV certificates does what you ask for. Kind
> of. Because of reasons 1a-d above, it still isn't what you want.
Kinda but I don't think they have it entirely. I'm kinda bullying the
user into using fig 1 as a login window. Then they can't miss the
signals being sent by their browser. Fig 1 is a 'bit in your face'
compared to a green address bar.
Also full screen counterfeiting is kinda scary. It can counterfeit
almost anything. Video here:
https://www.youtube.com/watch?v=O5B5SKoIgAo or go to
http://thefutureisbright.net/fsc/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170210/909e1804/attachment.html>
More information about the cryptography
mailing list