W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: FW: sitekey auth busted on BoA site

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 12 Apr 2007 18:43:59 -0500
Message-ID: <8A794A6D6932D146B2949441ECFC9D6803608565@msgswbmnmsp17.wellsfargo.com>
To: <Chuck@Interisle.net>
Cc: <public-wsc-wg@w3.org>, <Jim@ChallengeAndResponse.com>
Yes, I read Jim Youll's paper when he published it last year and completely
agree with you.  This latest MitM demo attack just proves a vulnerability
that he & others started pointing out to the industry more than a year ago.
 
I did find the slashdot article of particular interest to WSC potentially,
because it makes a series of specific recommendations to users about browser
security cues (check for both padlock and https, etc.).

  _____  

From: Chuck Wade [mailto:Chuck@Interisle.net] 
Sent: Thursday, April 12, 2007 6:36 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org; Jim Youll
Subject: Re: FW: sitekey auth busted on BoA site


Mike, et al,

While it is interesting that new exploits have been demonstrated of the
PassMark (a.k.a., SiteKey) authentication scheme, it is worth noting that
Jim Youll published a paper last summer that described an actual attack
methodology that was demonstrated. The paper is available at:

    <http://cr-labs.com/publications/index.html>
<http://cr-labs.com/publications/index.html>

I mention this since I still feel that Jim's paper is a thoughtful analysis
that goes beyond mere discussion of potential exploits and attempts to
derive useful lessons. It's worth reading, not because it finds some chinks
in somebody's armor, but because it looks at the larger picture, including
the role of marketing.

...Chuck

_____________________________
   Chuck Wade, Principal
   Interisle Consulting Group
   +1  508 435-3050  Office
   +1  508 277-6439  Mobile
   www.interisle.net



michael.mccormick@wellsfargo.com wrote: 

 

http://it.slashdot.org/it/07/04/12/1444204.shtml
 




Received on Thursday, 12 April 2007 23:44:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT