W3C home > Mailing lists > Public > public-usable-authentication@w3.org > March 2007

Re: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks)

From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 13 Mar 2007 10:19:48 +0100
To: Jörg Schwenk <joerg.schwenk@rub.de>
Cc: "'James A. Donald'" <jamesd@echeque.com>, "'Chris Drake'" <christopher@pobox.com>, <public-usable-authentication@w3.org>
Message-ID: <87ps7dzeiz.fsf@mid.deneb.enyo.de> 

* Jörg Schwenk:

> - THE real problem today is mitm with Trojan horses: they have access to
> nearly any information available to the browser. A secure mode (where all
> plugins are disabled when SSL is enabled) would be needed.

And this wouldn't work reliably either because malware isn't
restricted to the official browser APIs.

There is no easy solution, especially if you are a player with a high
market penetration.  The best approach today is to avoid creating the
impression that the whole mess is your problem.  The ISPs are very
successful at that, but it looks like browser vendors are losing it.
Received on Wednesday, 14 March 2007 20:33:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT