Peter Gutmann wrote:
And that's it's killer feature: Although you can still be duped into handing
out your password to a fake site, you simply cannot connect securely without
prior mutual authentication of client and server if TLS-PSK is used.

If I have understood the draft correctly, using PSKs means that the server and the client have a shared secret that they must communicate securely beforehand, and that they use some form of ZKP to assure the other party that they know that secret without revealing it.

If that's indeed so, wouldn't this have key management and storage issues that PK was designed to prevent in the first place? Also, the prior secure exchange of secrets would seem to preclude communication between entities that don't know each other. That, however, is how many businesses (including ebay, in whose name much phishing spam is generated) operate. Additionally, I don't think that this is just a UI issue; after all, both the client and the server must somehow manage the PSKs. There are probably expiration and revocation problems: what if my computer gets stolen and I can't get at my PSK? Does this mean that I can't do business with my bank anymore? What if I suspect that someone has stolen my PSK (for example with the same javascript attack that phished my password)? And so on and so on.

I'm not saying that the idea is bad, far from it; I'm just saying that there are probably many practical problems to be solved before this can be widely deployed.

Or perhaps I haven't understood the draft correctly.

What'd be necessary in conjunction with this is two small changes to the
browser UI:

...and the PSK management code in the server and in the client.


fn:Stephan Neuhaus
org;quoted-printable:Universit=C3=A4t des Saarlandes;Department of Informatics
adr;quoted-printable:;;Postfach 15 11 50;Saarbr=C3=BCcken;;66041;Germany
email;internet:[EMAIL PROTECTED]

Reply via email to