silky wrote:
On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck <> wrote:
Thanks for the comment. The BofA SiteKey attack you mention does not work
for the web access scheme I mentioned because the usercode is private and
random with a very large search space, and is always sent after SSL starts
(hence, remains private).

This is meaningless. What attack is the 'usercode' trying to prevent?
You said it's trying to authorise the site to the user. It doesn't do
this, because a 3rd party site can take the usercode and send it to
the 'real' site.

What usercode? The point you are missing is that there are 2^35 private usercodes and you have no idea which one matches the email address that you want to sent your phishing email to.

The other points, including the TLS SMTP login I mentioned, might be clearer with an example. I'll be happy to provide you with a test account.

Ed Gerck

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to