WebApp Sec mailing list archives

Re: Article - A solution to phishing

From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 14 Jul 2005 22:49:56 +0100

jcjhilvfgvqcf () mailinator com wrote:

I have found a product that looks better then passmark.

It is called ACUTrust (www.acutrust.com) and it uses a visualized token to authenticate the website.  it does not use 
cookies and does not require any client based software.  I also think that this would help a non technical person 
identify the sight.

Except that it doesn't work - it is vulnerable to a MITM attack.

The reason it doesn't work is that it still makes the user enter /their
/secret before they have authenticated the server. It also makes the
client run code from a source it hasn't verified yet. So all the phisher
needs to do is get in the middle and proxy the protocol in either
direction. That is not too hard in the phishing scenario, and nothing in
acutrust makes it much harder.

Can't be fixed either, as you need a decent way to authenticate the
server to fix it, and that's what you're trying to solve.

I wrote about the underlying issue in phishing years back, in early
1997, back when everyone still thought SSL made it impossible. That's so
long ago(*) now that the only place I can find my own paper is here (I
really must update it one of these days, seeing as hardly anything has
changed in almost 10 years, except that now this actually happens!):

http://web.archive.org/web/19980131231134/http://www.brd.ie/papers/sslpaper/sslpaper.html

I still strongly suspect that the real fix for phishing is to modify the
browser SSL handler and the server certificate, such that the browser
can automatically authenticate that the text or image in the hyperllink
that the user clicks on really 'belongs' to the server. That is, proper
end to end authentication, instead of authentication of meaningless
details that users do not understand (DNS names). That's described in a
bit more detail in the paper.

Unfortunately that means making a small change to the browser, as well
as to the way CAs create certificates - both are disruptive changes,
although could be made backwards compatible. Also, back then neither
browsers nor X.509 really supported extensions - now that both of them
do (well at least firefox does - is there another browser? :-), and now
that this is an highly visible problem, maybe the time is right to
actually implement some kind of proof of concept. I'd be happy to
participate if anyone is interested.

Cheers,
Frank.

(*) As an indication of just how old the paper is, it even mentions SET :-)

Current thread:

Re: Re: Article - A solution to phishing jcjhilvfgvqcf (Jul 14)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)
  - Re: Article - A solution to phishing Saqib Ali (Jul 14)
- Re: Article - A solution to phishing Frank O'Dwyer (Jul 14)
- Re: Re: Article - A solution to phishing bluewizard83-de4gahsh (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 14)
  - Re: Re: Article - A solution to phishing RSnake (Jul 18)
    - Re: @CHECK Re: Re: Article - A solution to phishing Dennis W. Kennedy (Jul 18)
- <Possible follow-ups>
- Re: Article - A solution to phishing mike (Jul 14)
- RE: Re: Article - A solution to phishing Simon Zuckerbraun (Jul 14)
  - RE: Re: Article - A solution to phishing Leandro Meiners (Jul 15)