W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: FW: sitekey auth busted on BoA site

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 12 Apr 2007 18:43:59 -0500
Message-ID: <8A794A6D6932D146B2949441ECFC9D6803608565@msgswbmnmsp17.wellsfargo.com>
To: <Chuck@Interisle.net>
Cc: <public-wsc-wg@w3.org>, <Jim@ChallengeAndResponse.com>
Yes, I read Jim Youll's paper when he published it last year and completely
agree with you.  This latest MitM demo attack just proves a vulnerability
that he & others started pointing out to the industry more than a year ago.
I did find the slashdot article of particular interest to WSC potentially,
because it makes a series of specific recommendations to users about browser
security cues (check for both padlock and https, etc.).


From: Chuck Wade [mailto:Chuck@Interisle.net] 
Sent: Thursday, April 12, 2007 6:36 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org; Jim Youll
Subject: Re: FW: sitekey auth busted on BoA site

Mike, et al,

While it is interesting that new exploits have been demonstrated of the
PassMark (a.k.a., SiteKey) authentication scheme, it is worth noting that
Jim Youll published a paper last summer that described an actual attack
methodology that was demonstrated. The paper is available at:


I mention this since I still feel that Jim's paper is a thoughtful analysis
that goes beyond mere discussion of potential exploits and attempts to
derive useful lessons. It's worth reading, not because it finds some chinks
in somebody's armor, but because it looks at the larger picture, including
the role of marketing.


   Chuck Wade, Principal
   Interisle Consulting Group
   +1  508 435-3050  Office
   +1  508 277-6439  Mobile

michael.mccormick@wellsfargo.com wrote: 



Received on Thursday, 12 April 2007 23:44:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:44 UTC