--
Anne & Lynn Wheeler wrote:
> part of x9.59 retail payment standard requires the
> transaction to be authenticated. another part of the
> x9.59 retail payment standard requires that the
> account number in x9.59 retail payments can't be used
> in non-authenticated transactions. it as been
>
On Wed, 7 Jun 2006, John Brazel wrote:
> What we really need is something similar to the built-in "remember
> my password" functionality of current web browsers: the browser keeps
> track of a login/password/certified (ie TLS certificate-backed) DNS name
> tuple...
[...]
> The downside, of course,
James A. Donald wrote:
The concept of trusted computing is an attempt to
address this problem - each application has exclusive
access to certain data, a trusted path to interact with
the user, and the ability to prove to servers what code
is being executed on the client.
so they aren't exactly
Jeffrey Altman wrote:
Solving the phishing problem requires changes on many levels:
(1) Some form of secure chrome for browsers must be deployed where
the security either comes from a "trusted desktop" or by per-user
customizations that significantly decrease the chances that the
a
Florian Weimer wrote:
You mean something like remote attestation? I find it hard to believe
that this capability is available today in a relatively open
environment, on a platform supporting multiple applications developed
by different applications.
re:
http://www.garlic.com/~lynn/aadsm23.htm#
* Anne & Lynn Wheeler:
> Florian Weimer wrote:
>> FINREAD is really interesting. I've finally managed to browse the
>> specs, and it looks as if this platform can be used to build something
>> that is secure against compromised hosts. However, I fear that the
>> support costs are too high, and t
James A. Donald wrote:
> --
> Jeffrey Altman wrote:
>> Unfortunately, SRP is not the solution to the phishing
>> problem. The phishing problem is made up of many
>> subtle sub-problems involving the ease of spoofing a
>> web site and the challenges involved in securing the
>> enrollment and pas
Anne & Lynn Wheeler wrote:
if they can build a $100 PC ... you think that they could build a
finread terminal for a couple bucks. sometimes there are issues with
volume pricing ... you price high because there isn't a volume and there
isn't a volume because you price high.
re:
http://www.garl
Florian Weimer wrote:
FINREAD is really interesting. I've finally managed to browse the
specs, and it looks as if this platform can be used to build something
that is secure against compromised hosts. However, I fear that the
support costs are too high, and that's why it hasn't caught on in
ret
On Thu, 1 Jun 2006, Jeffrey Altman wrote:
> Solving the phishing problem requires changes on many levels:
I agree.
> (1) Some form of secure chrome for browsers must be deployed where
> the security either comes from a "trusted desktop" or by per-user
> customizations that significantly d
* Anne & Lynn Wheeler:
> Florian Weimer wrote:
>> If you've deployed two-factor authentication (like German banks did in
>> the late 80s/early 90s), the relevant attacks do involve compromised
>> customer PCs. 8-( Just because you can't solve it with your technology
>> doesn't mean you can pretend
* Ka-Ping Yee:
> Passpet's strategy is to customize a button that you click. We
> are used to recognizing toolbar buttons by their appearance, so
> it seems plausible that if the button has a custom per-user icon,
> users are unlikely to click on a spoofed button with the wrong
> icon. Unlike ot
--
Lance James wrote:
> Here's where SRP fails:
>
> 1) SSL is built into the browser - doesn't stop
> phishers
SSL protects true names, SRP protects true
relationships. Protecting true names turned out to be
not very useful.
> "Hi, we're having a problem with your account system
> as our SR
--
Jeffrey Altman wrote:
> Unfortunately, SRP is not the solution to the phishing
> problem. The phishing problem is made up of many
> subtle sub-problems involving the ease of spoofing a
> web site and the challenges involved in securing the
> enrollment and password change mechanisms.
With
Florian Weimer wrote:
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer PCs. 8-( Just because you can't solve it with your technology
doesn't mean you can pretend the attacks don't happen.
EU finr
On 5/30/06, Derek Atkins <[EMAIL PROTECTED]> wrote:
Quoting "James A. Donald" <[EMAIL PROTECTED]>:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
Patents.
Seconded
--
Ka-Ping Yee wrote:
> Passpet's strategy is to customize a button that you
> click. We are used to recognizing toolbar buttons by
> their appearance, so it seems plausible that if the
> button has a custom per-user icon, users are unlikely
> to click on a spoofed button with the wrong icon.
--
Ka-Ping Yee wrote:
> Passpet's strategy is to customize a button that you
> click. We are used to recognizing toolbar buttons by
> their appearance, so it seems plausible that if the
> button has a custom per-user icon, users are unlikely
> to click on a spoofed button with the wrong icon.
On Thu, 1 Jun 2006, Florian Weimer wrote:
> > That is an all purpose argument that is deployed
> > selectively against some measures and not others.
>
> If you've deployed two-factor authentication (like German banks did in
> the late 80s/early 90s), the relevant attacks do involve compromised
> cu
Here's where SRP fails:
1) SSL is built into the browser - doesn't stop phishers
2) Chrome or no chrome good luck getting it in there and having every
user understand it.
3) Traditional phishing works, but if you force them to change, the
malware propagation will only be higher than it is now, and
James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening. SASL-SRP was recently
> dropped. What is the problem?
Unfortunately, SRP is not the solution to the phishing problem.
The phishing problem is made up o
* James A. Donald:
> --
> Florian Weimer wrote:
>> There is no way to force an end user to enter a
>> password only over SRP.
>
> Phishing relies on the login page looking familiar. If
> SRP is in the browser chrome, and looks strikingly
> different from any web page, the login page will not
On Thu, 1 Jun 2006, James A. Donald wrote:
> SRP necessarily runs in the chrome, in the client
> software, not in the web page, therefore the chrome,
> should put up an image that cannot be convincingly
> imitated by html
Sure, i agree. I only brought this up to point out that SRP
alone doesn't s
--
Florian Weimer wrote:
> There is no way to force an end user to enter a
> password only over SRP.
Phishing relies on the login page looking familiar. If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page will not
look familiar.
> Fortunately, i
--
James A. Donald wrote:
> > The obvious solution to the phishing crisis is the
> > widespread deployment of SRP
Lance James
> I disagree here, I don't think this will stop phishing
> for many reasons. Please explain how it would. It will
> stop "man-in-the-middle" attacks on the protocol, b
--
Ka-Ping Yee wrote:
> "Phishing" can mean a few different things. If by
> "phishing" you mean the stealing of passwords, then
> yes, SRP would help to eliminate that problem, but
> users could still be fooled into giving away their SRP
> passwords if the user interface for entering the
> pa
* James A. Donald:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
There is no way to force an end user to enter a password only over
SRP. That's why SRP is not effec
- Original Message -
From: "James A. Donald" <[EMAIL PROTECTED]>
Subject: Status of SRP
The obvious solution to the phishing crisis is the widespread deployment
of SRP, but this does not seem to happening. SASL-SRP was recently
dropped. What is the problem?
The problem is that you
Quoting "James A. Donald" <[EMAIL PROTECTED]>:
The obvious solution to the phishing crisis is the widespread
deployment of SRP, but this does not seem to happening. SASL-SRP was
recently dropped. What is the problem?
Patents.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media L
Lance James wrote:
> James A. Donald wrote:
>
>> The obvious solution to the phishing crisis is the widespread
>> deployment of SRP, but this does not seem to happening. SASL-SRP was
>> recently dropped. What is the problem?
>>
>
>
I want to clarify, because by typing to fast, i think
James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
I disagree here, I don't think this will stop phishing for many reasons.
Please explain how it wo
On Wed, 31 May 2006, James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening. SASL-SRP was recently
> dropped. What is the problem?
"Phishing" can mean a few different things. If by "phishing" you
mean the s
On Wed, May 31, 2006 at 09:41:57AM +1000, James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening. SASL-SRP was recently
> dropped. What is the problem?
The obvious solution is perhaps more difficult to de
33 matches
Mail list logo