WebApp Sec mailing list archives

Re: Proposal to anti-phishing

From: Rogan Dawes <discard () dawes za net>
Date: Wed, 19 Jan 2005 10:21:05 +0100



Michael Silk wrote:

Rogan,

The only possible attack against SSL client certs is against the
"re-issue" process, I think, and there again, the bank has control. The
way I see it, the phisher could try to get the user to "renew" their
cert, by providing some authenticating information that the phisher
could try to use to get a new cert from the bank. But, the key here is
"from the BANK".



 Could even be as simple as presenting a message such as:

 "Our cert system is down, please enter your phone banking details
here to gain access".

I guess that would allow the attacker to hit via the phone bankingservices. That is a possibility. Perhaps that could be countered by thebank displaying a "splash screen" on logon/first page hit, that tellsthe user that the banking system will only ever be accessed using thecertificate, and to distrust any messages that say that it is not working.


 Another issue with SSL client certs (please correct me if i'm wrong)
is that it's basically sitting on the computer 24/7. If you can gain
access to the machine it's on you (Joe hacker..) can then take it and
use it elsewhere.

Depends. Windows cert store does not make it easy to copy a certificateif it is not imported with the "exportable" flag set.


Other apps/browsers may make it easier.


 And laptops that are used by multiple employee's or family members,
or robbers.. ?

 And on this note, it would mean it's fairly difficult for a user to
use their banking from work and home with this setup, isn't it ?


That depends on whether we are using a hardware token or not . . .

With a smart card/USB crypto device, you get portability, as well ascopy protection, although you do pay the "price" of having to set updriver software in multiple locations . . .


-- Michael


Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

Re: Proposal to anti-phishing, (continued)
- - - Re: Proposal to anti-phishing Moksha Faced (Jan 27)
    - Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 24)
    - Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
  - Re: Proposal to anti-phishing Frank Knobbe (Jan 19)
    - Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- RE: Proposal to anti-phishing ACMurray (Jan 15)
- RE: Proposal to anti-phishing Michael Silk (Jan 19)
  - Re: Proposal to anti-phishing exon (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 23)
  - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
    - Re: Proposal to anti-phishing Michael Silk (Jan 23)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
    - Re: Proposal to anti-phishing Michael Silk (Jan 23)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 24)
- RE: Proposal to anti-phishing Adler Eliacin (Jan 24)
- Re: Proposal to anti-phishing Michael Silk (Jan 27)
- Re: Proposal to anti-phishing Mike Podanoffsky (Jan 27)
- RE: Proposal to anti-phishing Harper.Matthew (Jan 27)