On Thu, May 1, 2014 at 1:25 AM, Ben Laurie <b...@links.org> wrote: > On 1 May 2014 08:19, James A. Donald <jam...@echeque.com> wrote: > > On 2014-04-30 02:14, Jeffrey Goldberg wrote: > >> > >> On 2014-04-28, at 5:00 PM, James A. Donald <jam...@echeque.com> wrote: > >> > >>> Cannot outsource trust Ann usually knows more about Bob than a distant > >>> authority does. > >> > >> > >> So should Ann verify the fingerprints of Amazon, and Paypal herself? > > > > > > Ann should be logging on by zero knowledge password protocol, so that the > > entity that she logs on to proves it already knows the hash of her > password. > > EXACTLY!!! > > > ZKPP has to be in the browser chrome, not on the browser web page. > > This seems obvious, but experiments show users do not understand it. > We have yet to find a satisfactory answer to a trusted path for > ordinary users. > > > How do you see that working assuming that Ann is an �ordinary user�? > > > > To the ordinary user, should not behave any different, and should only > look > > different in that the ZKPP login screen looks different from any possible > > web page in a way that is quite difficult to fake for any software that > does > > not already have total control of the users machine. > > > > Details of how to achieve unfakeable logon screen appearance depend on OS > > version. To make the ZKPP logon screen in Windows 7 different from any > > possible web page, have the browser web page vanish when the browser's > > genuine ZKPP logon screen is up. Analogous but different gimmicks are > > feasible in other operating systems and system versions. > > Once more: technically unfakeable turns out to be a long way from > usably unfakeable.
And remember that on tablet and mobile devices the foreground program, without the user ever clicking "maximize/full screen" like on a desktop/laptop OS, has control of every pixel on the screen and do whatever it damned well pleases. -David Mercer
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography