[Cryptography] So please tell me. Why is my solution wrong?

Joseph Kilcullen kilcullenj at gmail.com
Fri Feb 17 04:08:34 EST 2017 

On 16-Feb-17 6:28 PM, Tom Mitchell wrote:
> On Wed, Feb 15, 2017 at 11:41 AM, Joseph Kilcullen 
> <kilcullenj at gmail.com <mailto:kilcullenj at gmail.com>> wrote:
>
>
>     Once you view the web browser as an actor in the cryptography
>     protocol everything else is classic cryptography i.e. your browser
>     must authenticate itself by presenting a shared secret. That's it!
>
>
>
> It still has value but is not sufficient.  If local javascript can see 
> the local image then
> it can be stolen or used in place.


An important point: Fig1 is NOT a web page! Sure the layout looks like a 
web page but that's just modern interfaces for you. The whole point is 
that you are talking to personality (A) when you are looking at Fig1.


----
Taken from the paper:

April fool’s day at the BBC
---------------------------
Consider  the  following:  its  April  fool’s  day  and  someone at  
the  BBC  decides to play a joke on their viewers. They pick a popular 
brand of television, counterfeit its setup menu and then superimpose 
that image over the live television broadcast. Viewers who own a 
different brand of television will be like a Bank of Ireland  customer  
receiving  a  Bank  of  America  phishing  email i.e.  they  will know  
immediately  that  it’s  a  scam.  However viewers  with  the  correct  
brand of television will think their television is malfunctioning as it 
is presenting the setup menu no matter what they do. To prevent this 
trick from working, viewers must customise their setup menu. Doing so is 
creating a secret known by their television and themselves, but not 
known by the BBC. This is identical to the solution to phishing attacks 
i.e. Mallory cannot counterfeit what Mallory does not know. It’s a 
viewer-television secret just like our browser-user secret.

Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170217/3fa62d3a/attachment.html>

More information about the cryptography mailing list