Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Solutions to phishing and to site spoofing
From: Amir Herzberg <herzbea () cs biu ac il>
Date: Tue, 30 Nov 2004 09:26:49 +0200
Re Michael's proposal (http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.html): I agree with others that it is not reasonable to build security on (insecure) e-mail. In particular I agree with Rogan: if you are willing to have users install private/public key pair, with public key known to server, then you can authenticate the user using SSL/TLS client authentication - no need for passwords at all, very convenient (once the keys are installed as I wrote above). 

Finally, I also agree with Mark Burnett, who said:

> Protecting authentication credentials is also a problem, but the
> solution to phishing is more one of authenticating the site rather
> than authenticating the user. First solving the issue of
> authenticating the site makes it easier to solve the problem of
> authenticating the user.
Let me add that site authentication is also important when clients cannot be authenticated, e.g. by a web store prompting for credit card or other personal details, or a source of sensitive information, e.g. software download or financial information. Site authentication is the basic function of SSL/TLS, but I believe it is currently poorly implemented, since the UI is not visible enough, and since browsers trust many certificate authorities that users are not even aware of. We have some initial survey results which support this strongly.
I will appreciate your feedback on TrustBar, our proposal (and implementation) of a browser add-on (hopefully to be integrated with future browsers), to address these concerns. You can download TrustBar from http://TrustBar.MozDev.org for Mozilla and FireFox; the open source code should also be there soon (or e-mail me to get it). Or read about it and about the secure UI principles and research (including survey) behind it at http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm. 
I am trying to arrange an IE implementation (any takers?)

Best,

Amir Herzberg
http://AmirHerzberg.com
Associate Prof., Computer Science Dept
Bar Ilan University

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]