On Sat, Jan 5, 2013 at 6:54 AM, Anders Rundgren <[email protected]> wrote: > If two-factor authentication was actually usable (i.e. <keygen> & friends > were replaced by something mere mortals could understand), these > kinds of attacks would be much less powerful. Devil's advocate: what does two factor have to do with setting up a secure channel based on a public ca hierarchy?
OT: are you aware of any PAKEs that use two factors (password and token)? I don't recall any, and would have to get into the academic literature. Jeff > On 2013-01-05 05:11, Jeffrey Walton wrote: >> Hi All, >> >>>From Dr. Geer on the Cryptography mailing list >> (http://lists.randombit.net/mailman/listinfo/cryptography). >> >> Its another reason to pin your certificates. Stop accepting the >> "broken" as the "norm". >> >> Not everyone is a bank who can be irresponsible and pass losses caused >> by mistakes onto share holders in pursuit of profits (re: risk >> acceptance). In some cases, people's lives depend upon it. >> >> +1 to Google and AOSP for recognizing the problem, and taking action >> early. I owe the security team a beer. >> >> Jeff >> >> ---------- Forwarded message ---------- >> From: <[email protected]> >> Date: Fri, Jan 4, 2013 at 6:40 PM >> Subject: [cryptography] another cert failure >> To: [email protected] >> >> you may have already seen this, but >> >> http://www.bbc.co.uk/news/technology-20908546 >> >> Cyber thieves pose as Google+ social network >> >> The lapse let cyber thieves trick people into thinking they were >> on Google+ Continue reading the main story Related Stories >> Cyber-warriors join treasure hunt Insecure websites set to be named >> Warning over web security attack Web browser makers have rushed to >> fix a security lapse that cyber thieves abused to impersonate Google+ >> >> The loophole exploited ID credentials that browsers use to ensure >> a website is who it claims to be. >> >> By using the fake credentials, criminals created a website that >> purported to be part of the Google+ social media network. >> >> The fake ID credentials have been traced back to Turkish security >> firm TurkTrust which mistakenly issued them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
