WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 17 Jan 2005 09:14:19 +0100
Florian Weimer wrote:
* Rafael San Miguel:The solution is based in a hardware token that is delivered to every customer. This token includes the true certificate that should be presented by the bank when a customer access his/her account, and a program that checks if the certificate presented by the webpage is consistent with the first one. The program is in read-only memory so that it can't be modified by anything external to it.It's acceptable neither to customers nor to banks. These days, zero-setup online banking is an absolute must.
If clients are prepared to accept the consequences of having this "zero-setup" online banking, so be it.
Zero-setup online banking will be possible again (with SSL client certs, hear me beat the drum once more) once enough clients have smart card readers as standard equipment, properly integrated with the operating system and the browsers.
For an example, I look to the Dell Latitude D600, which comes with an integrated smart card reader. Maybe a good feature addition for the new LCD monitors would be a smart card reader slot, connected via USB. The more people use them, the more ubiquitous they will be, and the less "setup" will be required by new users/clients.
We cannot just avoid the issue by saying that banks and clients "don't wannna!" go to the trouble of setting up a new device so they can be secure online.
If we all say "I don wanna!", we'll never get there. And that would be a shame.
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing lists (Jan 24)
- Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)