On 25/09/11 10:09 AM, James A. Donald wrote:
On 2011-09-25 4:30 AM, Ben Laurie wrote:
I'm just saying I think its hard to detect when a password is being
asked for as part of the risk assessment.
http and https do not know there are such things as logons. Logons
need to be built into the
On Thu, Sep 22, 2011 at 4:46 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
Well, don't tease. How?
The link I've posted before (but didn't want to keep spamming to the list):
http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf
That was a fun read
On Sep 23, 2011, at 11:17 AM, Ben Laurie wrote:
On Thu, Sep 22, 2011 at 4:46 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
Well, don't tease. How?
The link I've posted before (but didn't want to keep spamming to the list):
Ben Laurie b...@links.org writes:
Well, don't tease. How?
The link I've posted before (but didn't want to keep spamming to the list):
http://www.cs.auckland.ac.nz/~pgut001/pubs/pki_risk.pdf
Peter.
___
cryptography mailing list
On 20/09/11 01:53 AM, Andy Steingruebl wrote:
SSL wasn't designed to stop phishing, if sites don't deploy it with
mutual-auth it can't possibly do so.
Yes, it was. SSL was upgraded in v2 to provide a complete solution to
the MITM. This is evident in v2's addition of certificates, and the
On 18/09/11 20:02 PM, M.R. wrote:
On 18/09/11 08:59, James A. Donald wrote:
If we acknowledge that SSL is not secure, then need
something that is secure.
Nothing is either secure, or not secure. Any engineering
system is either secure for the purpose it was designed for,
or it is not. SSL is
On Sun, Sep 18, 2011 at 2:01 PM, James A. Donald jam...@echeque.com wrote:
SSL fails at low security stuff in that it allows phishing,
snark
You know what else fails at fighting phishing?
- The locks on my car door
- The fence surrounding my house
- The full disk encryption on my laptop
On 09/19/2011 10:53 AM, Andy Steingruebl wrote:
You know what else fails at fighting phishing?
- The locks on my car door
Hmmm, what would a phishing attack on your car door locks look like?
Perhaps someone could replace your car one night with a very
similar-looking one, then when you're
On 2011-09-20 6:48 AM, James A. Donald wrote:
On 2011-09-20 5:16 AM, Nico Williams wrote:
As for out-of-band phishing, well, that's the hardest to protect
against for the simple reason that some phishing e-mail is always
bound to get through and prey on the elderly and naive. I'm not sure
what
On 2011-09-20 8:46 AM, Nico Williams wrote:
Of course. We need trusted UI paths. That's a hard problem. We know
users dislike SAS (secure attention sequences). We know people want
full-screen apps. These constraints make it almost impossible, if not
impossible to get any sort of trusted UI
On Tue, Sep 20, 2011 at 12:42 AM, James A. Donald jam...@echeque.comwrote:
On 2011-09-20 8:46 AM, Nico Williams wrote:
Of course. We need trusted UI paths. That's a hard problem. We know
users dislike SAS (secure attention sequences). We know people want
full-screen apps. These
On 17/09/11 17:56, lodewijk andré de la porte wrote:
...therefore assumes others assume SSL to be broken by design...
SSL is not broken by design!
SSL was designed to protect relatively low-value retail commerce,
and it still does that job reasonably well.
What failed were our mechanisms to
On 2011-09-18 4:34 PM, M.R. wrote:
SSL was designed to protect relatively low-value retail commerce,
and it still does that job reasonably well.
What failed were our mechanisms to ensure that system usage regime does
not exceed it's design parameters. If I can be flippant, SSL was a
pedestrian
On 18/09/11 08:59, James A. Donald wrote:
If we acknowledge that SSL is not secure, then need
something that is secure.
Nothing is either secure, or not secure. Any engineering
system is either secure for the purpose it was designed for,
or it is not. SSL is secure, since it is secure for the
Ian G i...@iang.org writes:
When it came to actual failures ... they are silent. Still. But they love
their merry-go-round :)
There are ways to get off the merry-go-round. I've now put the slides for the
talk I'd mentioned last week, that I did at EuroPKI, up at
15 matches
Mail list logo