- From: Ben Laurie <benl@google.com>
- Date: Fri, 14 Jan 2011 10:00:18 +0000
- To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
- Cc: apps-discuss@ietf.org, dwm@xpasc.com, hallam@gmail.com, http-auth@ietf.org, ietf-http-wg@w3.org, kitten@ietf.org, marsh@extendedsubset.com, romeda@gmail.com, saag@ietf.org, websec@ietf.org, zedshaw@zedshaw.com
On 14 January 2011 02:24, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Marsh Ray <marsh@extendedsubset.com> writes: > >>Phishing can be said to have been prevented only when the user can be relied >>upon to refuse to enter his password into an insecure box. > > I think you need to phrase that more generally, "when the user can be relied > upon to not authenticate to the wrong site", because there's more ways of > authenticating around than just typing a string into a web form. For example > some password managers do site-specifc passwords, so even if you go to the > wrong site you can't accidentally provide your credentials for the correct > site. That phrasing is only correct if the authentication method leaks the password... > >>For example, my bank asks for my username and then shows me a familiar >>picture (e.g., a rocking horse) that is supposed to prevent phishing. This >>stops phishing only in the sense that it requires the attacker to use a CGI >>proxy app rather than simple static phishing site. > > ... or display a broken-image GIF, or a message that the award-winning > security whatsit is being upgraded and will be back soon, or ... > > (this is from a real-world evaluation of the (in-)effectiveness of site > images, I can dig up the ref if required). Site images rate more as a > security gimmick than any real security measure. Exactly.
Received on Friday, 14 January 2011 10:00:52 UTC