[114449] in cryptography@c2.net mail archive
Re: Dutch Transport Card Broken
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Feb 1 15:34:00 2008
Date: Fri, 1 Feb 2008 14:28:57 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, jamesd@echeque.com,
perry@piermont.com, cryptography@metzdowd.com
In-Reply-To: <20080201195816.56a53d1b@cs.columbia.edu>
On Fri, Feb 01, 2008 at 07:58:16PM +0000, Steven M. Bellovin wrote:
> On Fri, 01 Feb 2008 13:29:52 +1300
> pgut001@cs.auckland.ac.nz (Peter Gutmann) wrote:
> > (Anyone have any clout with Firefox or MS? Without significant
> > browser support it's hard to get any traction, but the browser
> > vendors are too busy chasing phantoms like EV certs).
> >
> The big issue is prompting the user for a password in a way that no one
> will confuse with a web site doing so. Given all the effort that's
> been put into making Javascript more and more powerful, and given
> things like picture-in-picture attacks, I'm not optimistic. It might
> have been the right thing, once upon a time, but the horse may be too
> far out of the barn by now to make it worthwhile closing the barn door.
And on top of that web site designers don't want browser dialogs for
HTTP/TLS authentication.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
