[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Mon Feb 13 11:21:30 EST 2017


On 13-Feb-17 3:29 PM, Theodore Ts'o wrote:
>
> The above is something which *is* applicable to your solution.  If you
> don't believe it, or believe that your solution is somehow special,
> you are welcome to bankroll some human factors lab to do a study
> specific to your design...

True but I figured people who understand cryptography should 'get it' 
that it's just a shared secret.

Since the image is shared between 'your web browser' and 'you' a MITM 
attack would involve the criminal standing between you and your computer 
monitor!! I'm sure this happens but its not called a phishing attack.

With my solution a MITM attack must remove TLS entirely or substitute a 
new TLS certificate. Either way the user, or your browser, will see 
something is happening. The login window won't appear if TLS is missing. 
If a new certificate is used then who's identity or CA will be used in 
it? The computer user will see the fake identity named on the login window.

Right now users look for a picture of a padlock! If pictures of padlocks 
are proper cryptography authentication mechanisms then find me a book, 
or paper, which documents this cryptography authentication mechanism. Or 
an army which uses this tea leaf reading level cryptography solution!

*
Its a basic cryptography protocol failure. Your browser is an actor in 
the cryptography protocol, therefore your browser must authenticate itself.
*

I'm sure we can do user studies after cryptographers 'get it'.







More information about the cryptography mailing list