WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Article - A solution to phishing

From: lists () dawes za net
Date: Sat, 27 Nov 2004 10:18:58 -0600
Quoting Michael Silk <michaelsilk () gmail com>:


Hi Christopher,

      Thanks for your feedback, let me address it.

      First let me say that many people have raised
      the issue (privately) of unecrypted emails not
      being good enough - and they have a point. So
      from now onwards let us assume that public
      key/private key exchange system is used to
      communicate the emails such that:



And if they are using a public key system, why would you bother with email then?
Just make them use the private key to authenticate to the website. There is
STILL no opportunity for phishing, as the user never types in any details. They
simply authenticate the SSL session using the cert, and there are no further
opportunities for information theft.

Sounds to me like you just want to use email in there somewhere! ;-)

Rogan
Previous By Date Next
Previous By Thread Next

Current thread: