[133707] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Sun Sep 21 16:38:12 2008
Date: Sun, 21 Sep 2008 12:56:05 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: pgut001@cs.auckland.ac.nz (Peter Gutmann),
cryptography@metzdowd.com,
dirkx@webweaving.org
In-Reply-To: <20080920155512.0203edf3@cs.columbia.edu>
At Sat, 20 Sep 2008 15:55:12 -0400,
Steven M. Bellovin wrote:
>
> On Thu, 18 Sep 2008 17:18:00 +1200
> pgut001@cs.auckland.ac.nz (Peter Gutmann) wrote:
>
> > - Use TLS-PSK, which performs mutual auth of client and server
> > without ever communicating the password. This vastly complicated
> > phishing since the phisher has to prove advance knowledge of your
> > credentials in order to obtain your credentials (there are a pile of
> > nitpicks that people will come up with for this, I can send you a
> > link to a longer writeup that addresses them if you insist, I just
> > don't want to type in pages of stuff here).
> >
> Once upon a time, this would have been possible, I think. Today,
> though, the problem is the user entering their key in a box that is (a)
> not remotely forgeable by a web site that isn't using the browser's
> TLS-PSK mechanism; and (b) will *always* be recognized by users, even
> dumb ones. Today, sites want *pretty* login screens, with *friendly*
> ways to recover your (or Palin's) password, and not just generic grey
> boxes. Then imagine the phishing page that displays an artistic but
> purely imaginary "login" screen, with a message about "NEW! Better
> naviation on our login page!"
This is precisely the issue.
There are any number of cryptographic techniques that would allow
clients and servers to authenticate to each other in a phishing
resistant fashion, but they all depend on ensuring that the
*client* has access to the password and that the attacker can't
convince the user to type their password into some dialog
that the attacker controls. That's the challenging technical
issue, but it's UI, not cryptographic.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
