W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Making Mobile BankID "phishsafe"

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Sun, 29 Nov 2015 11:38:05 +0000
To: public-credentials@w3.org
Message-ID: <565AE39D.70908@kent.ac.uk>
Hi Anders

the only way I know to stop phishing, is to never have a remote web site
redirect the user to go to another site (or to itself) to authenticate,
since an evil web site will redirect the user to a phisher.

regards

David

On 29/11/2015 08:02, Anders Rundgren wrote:
> HI Guys,
> 
> What is your solution for making things like the Swedish and Norwegian
> Mobile BankID schemes "phishsafe"?
> These schemes principally work as my QR-ID demo (although relying on
> hard-coded URLs):
> https://mobilepki.org/webauth/home
> https://cyberphone.github.io/openkeystore/resources/docs/QR-ID-presentation.pdf
> 
> A nice solution which in spite of using PKI is fully "phishable".
> 
> Anders
> 
> 
Received on Sunday, 29 November 2015 11:37:48 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC