On the current web it is a matter of fact that a banking site should
be developed under assumption that a substantial number of users use
infected computers with some of them would attempt to perform a banking fraud.
A real experience shows that a substantial number of those fraud
attempts comes
wrote:
On 30/09/13 20:35 PM, Igor Bukanov wrote:
...
A real experience shows that a substantial number of those fraud
attempts comes from computers where malware installs own root
certificate and then install either real or transparent proxy. The
access to the proxy is then sold to third parties
I don't know the details of J-Pake etc.,
This is a type of protocols that allows *mutual* authentication using
simple passwords or other shared secrets without leaking any
information about the passwords (so dictionary attacks on the captured
traffic etc does not work). As a result of the
-- Forwarded message --
From: Igor Bukanov i...@mir2.org
Date: 11 October 2013 15:02
Subject: Re: Defending against malicious SSL proxy
To: Brian Smith br...@briansmith.org
From a practical point of view anything that requires changes in the
existing SSL infrastructure cannot