W3C home > Mailing lists > Public > public-usable-authentication@w3.org > March 2007

Re: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks)

From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 13 Mar 2007 10:48:35 +0100
To: "Dan Schutzer" <dan.schutzer@fstc.org>
Cc: "'Chris Drake'" <christopher@pobox.com>, 'Jörg Schwenk' <joerg.schwenk@rub.de>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
Message-ID: <87k5xlzd70.fsf@mid.deneb.enyo.de> 

* Dan Schutzer:

> One time passwords are susceptible to real time man in the middle
> attacks

You don't even need real-time attacks, you just block every other
transaction, claiming that the password has already been used, and
have the Trojan horse send you those unused passwords.  That's why
it's interesting to tie one-time passwords to particular transactions.

There are very complex trade-offs involved, and the whole thing is a
topic of ongoing research, on both sides.

> Cookies can be insecure if they store sensitive information in the clear

A lot of sensitive cookies are insecure because they aren't restricted
to HTTPS. 8-(
Received on Wednesday, 14 March 2007 20:33:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT