- From: <michael.mccormick@wellsfargo.com>
- Date: Thu, 12 Apr 2007 18:43:59 -0500
- To: <Chuck@Interisle.net>
- Cc: <public-wsc-wg@w3.org>, <Jim@ChallengeAndResponse.com>
- Message-ID: <8A794A6D6932D146B2949441ECFC9D6803608565@msgswbmnmsp17.wellsfargo.com>
Yes, I read Jim Youll's paper when he published it last year and completely
agree with you. This latest MitM demo attack just proves a vulnerability
that he & others started pointing out to the industry more than a year ago.
I did find the slashdot article of particular interest to WSC potentially,
because it makes a series of specific recommendations to users about browser
security cues (check for both padlock and https, etc.).
_____
From: Chuck Wade [mailto:Chuck@Interisle.net]
Sent: Thursday, April 12, 2007 6:36 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org; Jim Youll
Subject: Re: FW: sitekey auth busted on BoA site
Mike, et al,
While it is interesting that new exploits have been demonstrated of the
PassMark (a.k.a., SiteKey) authentication scheme, it is worth noting that
Jim Youll published a paper last summer that described an actual attack
methodology that was demonstrated. The paper is available at:
<http://cr-labs.com/publications/index.html>
<http://cr-labs.com/publications/index.html>
I mention this since I still feel that Jim's paper is a thoughtful analysis
that goes beyond mere discussion of potential exploits and attempts to
derive useful lessons. It's worth reading, not because it finds some chinks
in somebody's armor, but because it looks at the larger picture, including
the role of marketing.
...Chuck
_____________________________
Chuck Wade, Principal
Interisle Consulting Group
+1 508 435-3050 Office
+1 508 277-6439 Mobile
www.interisle.net
michael.mccormick@wellsfargo.com wrote:
http://it.slashdot.org/it/07/04/12/1444204.shtml
Received on Thursday, 12 April 2007 23:44:09 UTC