- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Tue, 13 Mar 2007 10:48:35 +0100
- To: "Dan Schutzer" <dan.schutzer@fstc.org>
- Cc: "'Chris Drake'" <christopher@pobox.com>, 'Jörg Schwenk' <joerg.schwenk@rub.de>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
* Dan Schutzer: > One time passwords are susceptible to real time man in the middle > attacks You don't even need real-time attacks, you just block every other transaction, claiming that the password has already been used, and have the Trojan horse send you those unused passwords. That's why it's interesting to tie one-time passwords to particular transactions. There are very complex trade-offs involved, and the whole thing is a topic of ongoing research, on both sides. > Cookies can be insecure if they store sensitive information in the clear A lot of sensitive cookies are insecure because they aren't restricted to HTTPS. 8-(
Received on Wednesday, 14 March 2007 20:33:32 UTC