[16652] in cryptography@c2.net mail archive
Re: AOL Help : About =?ISO-8859-1?Q?AOL=AE_PassCode?=
daemon@ATHENA.MIT.EDU (Ian G)
Thu Jan 6 19:49:19 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 06 Jan 2005 13:10:31 +0000
From: Ian G <iang@systemics.com>
To: Joerg Schneider <js@joergschneider.com>
Cc: Florian Weimer <fw@deneb.enyo.de>, cryptography@metzdowd.com,
cypherpunks@al-qaeda.net
In-Reply-To: <41DD1672.2070207@joergschneider.com>
Joerg Schneider wrote:
> So, PassCode and similar forms of authentication help against the
> current crop of phishing attacks, but that is likely to change if
> PassCode gets used more widely and/or protects something of interest
> to phishers.
>
> Actually I have been waiting for phishing with MITM to appear for some
> time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real
time?
Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.
(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)
Perhaps we need a name for this: real time MITM
versus delayed time MITM? Batch time MITM?
> Assuming that MITM phishing will begin to show up and agreeing that
> PassCode over SSL is not the solution - what can be done to counter
> those attacks?
The user+client has to authenticate the server. Everything
that I've seen over the last two years seems to fall into
that one bucket.
> Mutual authentication + establishment of a secure channel should do
> the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the
theft of user information.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com