[18645] in cryptography@c2.net mail archive
Re: US Banks: Training the next generation of phishing victims
daemon@ATHENA.MIT.EDU (Nick Owen)
Wed Oct 12 12:10:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 12 Oct 2005 12:28:56 +0000
From: Nick Owen <nowen@wikidsystems.com>
To: cryptography@metzdowd.com
In-Reply-To: <E1EPc6c-0008TE-00@medusa01.cs.auckland.ac.nz>
Peter Gutmann wrote:
>
> Can anyone who knows Javascript better than I do figure out what the mess of
> script on those pages is doing? It looks like it's taking the username and
> password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so
> it's a bit hard to follow what's going where.
>
Why have the log on your homepage at all? Why not just a link to the
https login??? If the goal is to not have SSL overhead on the homepage,
don't. Or is there some extra overhead for login processing that I
don't know about? Is there some user dissatisfaction with an extra
click to login?
I suppose if you really wanted non-SSL logins, you could use a one-time
passcodes system with variable length passcodes to prevent race attacks.
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
