WebApp Sec mailing list archives
Re: Are client side certificates good enough against phising?
From: Oguzhan Topgul <oguzhan.topgul () uekae tubitak gov tr>
Date: Mon, 07 Feb 2011 11:10:15 +0200
If you are interested in phishing attacks and prevention methods, you can find good classification of phishing attacks and some methods for prevention in this paper.
http://arxiv.org/PS_cache/arxiv/pdf/0911/0911.5230v1.pdf I found it useful Regards -- Oğuzhan Topgül http://www.bilgiguvenligi.gov.tr On 04.02.2011 22:25, Marcel Constantopulos wrote:
Hi, This is my first post on the list, and I'm very happy that I've found you. I was wondering if the client side certificates are good enough against phishing. Can an attacker use what he receives from the victim to impersonate as the victim? I do not know exactly how the client-server authentification works, I assume that the web-server asks for the client to have the certificate by asking it to sign one random sequence of numbers/text, and then the server authenticates the client with the client's public key. If the above is true, I guess that a hacker/thief would initiate first the comunication from the server, and then pass on the request to the victime, and afterwards using what he receives from the victime to authenticate himself against the server. It might be a bit simplistic the way I think, cause I do not have that much experience with SSL. I know a bit about the SSL handshake... Thank you, Marcel This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Are client side certificates good enough against phising? Marcel Constantopulos (Feb 06)
- Re: Are client side certificates good enough against phising? Marc-André Laverdière (Feb 06)
- Re: Are client side certificates good enough against phising? Andy Steingruebl (Feb 06)
- <Possible follow-ups>
- Re: Are client side certificates good enough against phising? Oguzhan Topgul (Feb 07)