[Cryptography] So please tell me. Why is my solution wrong?
Tom Mitchell
mitch at niftyegg.com
Thu Feb 16 13:28:43 EST 2017
On Wed, Feb 15, 2017 at 11:41 AM, Joseph Kilcullen <kilcullenj at gmail.com>
wrote:
>
> The solution in 1 sentence reads:
>
> Once you view the web browser as an actor in the cryptography protocol
> everything else is classic cryptography i.e. your browser must authenticate
> itself by presenting a shared secret. That's it!
The solution is not a general case solution. It helps only in the special
case of a hijacked web environment.
It does not catch the case of a transparent application that can intercept
keystrokes or even a paste
from a previously filled mouse copy buffer.
Transparent applications must be trustworthy they are a current attack
method.
The problem with a special case like this is it establishes apparent but
incomplete safety and habits.
The habits alone are a risk as they establish expectations and a sense of
security.
It still has value but is not sufficient. If local javascript can see the
local image then
it can be stolen or used in place.
On my android phone I run a tool that watches for transparent overlays.
This is a known attack with a number of permutations....
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170216/ca234835/attachment.html>
More information about the cryptography
mailing list