W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Making Mobile BankID "phishsafe"

From: Varn, Richard J <rvarn@ets.org>
Date: Sun, 29 Nov 2015 15:42:25 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>
CC: David Chadwick <d.w.chadwick@kent.ac.uk>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <2F3C43CD-8CDC-4861-82C6-85AB68897313@ets.org>
When a secure token or similar two way real time machine level/cryptographic authentication is used, then the phishing is being used as part of a MIM exploit, correct?  Unless you can bind the authentication exchange to a factor not replicable by the MIM to pass through (machine token plus IP plus geography plus not sure what), then you have to look to some other part of the stack for help. I would think we have to consider how the network layer has to contribute to detection of MIM variance or has to be part of the authentication string as far as routing and secure connection that cannot be passed through and hijacked and is connected to authentication process. Or I may just not understand the problem.

Sent from my iPhone

> On Nov 29, 2015, at 9:02 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>
>> On 2015-11-29 12:38, David Chadwick wrote:
>> Hi Anders
>>
>> the only way I know to stop phishing, is to never have a remote web site
>> redirect the user to go to another site (or to itself) to authenticate,
>> since an evil web site will redirect the user to a phisher.
>
> That's indeed one take on the subject. I was rather thinking about making a "phished"
> login useless which is one of the "promises" of public-key schemes like U2F and PKI.
>
> There are some vendors who claim to have solved this problem in setups like the one
> depicted but these solutions are secret and probably wouldn't survive a deeper analysis.
>
> Regards
> Anders
>
>>
>> regards
>>
>> David
>>
>>> On 29/11/2015 08:02, Anders Rundgren wrote:
>>> HI Guys,
>>>
>>> What is your solution for making things like the Swedish and Norwegian
>>> Mobile BankID schemes "phishsafe"?
>>> These schemes principally work as my QR-ID demo (although relying on
>>> hard-coded URLs):
>>> https://mobilepki.org/webauth/home
>>> https://cyberphone.github.io/openkeystore/resources/docs/QR-ID-presentation.pdf
>>>
>>> A nice solution which in spite of using PKI is fully "phishable".
>>>
>>> Anders
>
>

________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________
Received on Sunday, 29 November 2015 15:42:58 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC