- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 29 Nov 2015 16:01:34 +0100
- To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
On 2015-11-29 12:38, David Chadwick wrote: > Hi Anders > > the only way I know to stop phishing, is to never have a remote web site > redirect the user to go to another site (or to itself) to authenticate, > since an evil web site will redirect the user to a phisher. That's indeed one take on the subject. I was rather thinking about making a "phished" login useless which is one of the "promises" of public-key schemes like U2F and PKI. There are some vendors who claim to have solved this problem in setups like the one depicted but these solutions are secret and probably wouldn't survive a deeper analysis. Regards Anders > > regards > > David > > On 29/11/2015 08:02, Anders Rundgren wrote: >> HI Guys, >> >> What is your solution for making things like the Swedish and Norwegian >> Mobile BankID schemes "phishsafe"? >> These schemes principally work as my QR-ID demo (although relying on >> hard-coded URLs): >> https://mobilepki.org/webauth/home >> https://cyberphone.github.io/openkeystore/resources/docs/QR-ID-presentation.pdf >> >> A nice solution which in spite of using PKI is fully "phishable". >> >> Anders >> >> >
Received on Sunday, 29 November 2015 15:02:05 UTC