[Cryptography] So please tell me. Why is my solution wrong?
Joseph Kilcullen
kilcullenj at gmail.com
Fri Feb 17 04:08:34 EST 2017
On 16-Feb-17 6:28 PM, Tom Mitchell wrote:
> On Wed, Feb 15, 2017 at 11:41 AM, Joseph Kilcullen
> <kilcullenj at gmail.com <mailto:kilcullenj at gmail.com>> wrote:
>
>
> Once you view the web browser as an actor in the cryptography
> protocol everything else is classic cryptography i.e. your browser
> must authenticate itself by presenting a shared secret. That's it!
>
>
>
> It still has value but is not sufficient. If local javascript can see
> the local image then
> it can be stolen or used in place.
An important point: Fig1 is NOT a web page! Sure the layout looks like a
web page but that's just modern interfaces for you. The whole point is
that you are talking to personality (A) when you are looking at Fig1.
----
Taken from the paper:
April fool’s day at the BBC
---------------------------
Consider the following: its April fool’s day and someone at
the BBC decides to play a joke on their viewers. They pick a popular
brand of television, counterfeit its setup menu and then superimpose
that image over the live television broadcast. Viewers who own a
different brand of television will be like a Bank of Ireland customer
receiving a Bank of America phishing email i.e. they will know
immediately that it’s a scam. However viewers with the correct
brand of television will think their television is malfunctioning as it
is presenting the setup menu no matter what they do. To prevent this
trick from working, viewers must customise their setup menu. Doing so is
creating a secret known by their television and themselves, but not
known by the BBC. This is identical to the solution to phishing attacks
i.e. Mallory cannot counterfeit what Mallory does not know. It’s a
viewer-television secret just like our browser-user secret.
Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170217/3fa62d3a/attachment.html>
More information about the cryptography
mailing list