WebApp Sec mailing list archives

RE: (secure email) Proposal to anti-phishing

From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Tue, 25 Jan 2005 06:42:26 +1100


Is it? Surely it's easy to see. Phishing requries the user to enter
the password in a website. If they don't need to do this (or only
enter partial password) because of certificate, then I think it's
pretty easy to see how that is an advantage.


There are already 'phishing-style' attacks which have the customer's PC
infected with keylogging and bakdoor malware.
Verifying a password on a remote, possibly malware-infected PC can't (to the
relying party) be as good as a password verified at the server.  In the
latter case, the server operator can make decisions about trusting this
login; in the former, they can't.

Lyal

Current thread:

RE: (secure email) Proposal to anti-phishing, (continued)
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
  - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
    - Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
    - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
    - Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
    - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
    - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
    - Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
    - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 27)
    - Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 27)
  - RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Eric McCarty (Jan 24)