W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Making Mobile BankID "phishsafe"

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 29 Nov 2015 16:01:34 +0100
To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
Message-ID: <565B134E.5010107@gmail.com>
On 2015-11-29 12:38, David Chadwick wrote:
> Hi Anders
> the only way I know to stop phishing, is to never have a remote web site
> redirect the user to go to another site (or to itself) to authenticate,
> since an evil web site will redirect the user to a phisher.

That's indeed one take on the subject. I was rather thinking about making a "phished"
login useless which is one of the "promises" of public-key schemes like U2F and PKI.

There are some vendors who claim to have solved this problem in setups like the one
depicted but these solutions are secret and probably wouldn't survive a deeper analysis.


> regards
> David
> On 29/11/2015 08:02, Anders Rundgren wrote:
>> HI Guys,
>> What is your solution for making things like the Swedish and Norwegian
>> Mobile BankID schemes "phishsafe"?
>> These schemes principally work as my QR-ID demo (although relying on
>> hard-coded URLs):
>> https://mobilepki.org/webauth/home
>> https://cyberphone.github.io/openkeystore/resources/docs/QR-ID-presentation.pdf
>> A nice solution which in spite of using PKI is fully "phishable".
>> Anders
Received on Sunday, 29 November 2015 15:02:05 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC