[144284] in cryptography@c2.net mail archive
Re: Solving password problems one at a time, Re: The password-reset
daemon@ATHENA.MIT.EDU (Ed Gerck)
Tue Feb 24 13:26:23 2009
Date: Mon, 23 Feb 2009 17:23:33 -0800
From: Ed Gerck <edgerck@nma.com>
To: michaelslists@gmail.com
CC: cryptography@metzdowd.com
In-Reply-To: <5e01c29a0902231443y404436far7b345c2e9c63c0a3@mail.gmail.com>
silky wrote:
> On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck <edgerck@nma.com> wrote:
> [snip]
>
>> Thanks for the comment. The BofA SiteKey attack you mention does not work
>> for the web access scheme I mentioned because the usercode is private and
>> random with a very large search space, and is always sent after SSL starts
>> (hence, remains private).
>>
>
> This is meaningless. What attack is the 'usercode' trying to prevent?
> You said it's trying to authorise the site to the user. It doesn't do
> this, because a 3rd party site can take the usercode and send it to
> the 'real' site.
>
What usercode? The point you are missing is that there are 2^35 private
usercodes and you have no idea which one matches the email address that
you want to sent your phishing email to.
The other points, including the TLS SMTP login I mentioned, might be
clearer with an example. I'll be happy to provide you with a test account.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
