Re: Are client side certificates good enough against phising?

[Oguzhan Topgul <oguzhan.topgul () uekae tubitak gov tr>]

If you are interested in phishing attacks and prevention methods, you 
can find good classification of phishing attacks and some methods for 
prevention in this paper.
http://arxiv.org/PS_cache/arxiv/pdf/0911/0911.5230v1.pdf

I found it useful

Regards

--
Oğuzhan Topgül
http://www.bilgiguvenligi.gov.tr




On 04.02.2011 22:25, Marcel Constantopulos wrote:
> Hi,
>
> This is my first post on the list, and I'm very happy that I've found you.
> I was wondering if the client side certificates are good enough
> against phishing.
>
> Can an attacker use what he receives from the victim to impersonate as
> the victim?
>
> I do not know exactly how the client-server authentification works, I
> assume that the web-server asks for the client to have the certificate
> by asking it to sign one random sequence of numbers/text, and then the
> server authenticates the client with the client's public key.
>
> If the above is true, I guess that a hacker/thief would initiate first
> the comunication from the server, and then pass on the request to the
> victime, and afterwards using what he receives from the victime to
> authenticate himself against the server.
>
> It might be a bit simplistic the way I think, cause I do not have that
> much experience with SSL. I know a bit about the SSL handshake...
>
> Thank you,
> Marcel
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------