WebApp Sec mailing list archives
RE: (secure email) Proposal to anti-phishing
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Tue, 25 Jan 2005 06:42:26 +1100
Is it? Surely it's easy to see. Phishing requries the user to enter the password in a website. If they don't need to do this (or only enter partial password) because of certificate, then I think it's pretty easy to see how that is an advantage.
There are already 'phishing-style' attacks which have the customer's PC infected with keylogging and bakdoor malware. Verifying a password on a remote, possibly malware-infected PC can't (to the relying party) be as good as a password verified at the server. In the latter case, the server operator can make decisions about trusting this login; in the former, they can't. Lyal
Current thread:
- RE: (secure email) Proposal to anti-phishing, (continued)
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 27)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 27)
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)