WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 14 Jul 2005 22:49:56 +0100
jcjhilvfgvqcf () mailinator com wrote:
I have found a product that looks better then passmark. It is called ACUTrust (www.acutrust.com) and it uses a visualized token to authenticate the website. it does not use cookies and does not require any client based software. I also think that this would help a non technical person identify the sight.
Except that it doesn't work - it is vulnerable to a MITM attack. The reason it doesn't work is that it still makes the user enter /their /secret before they have authenticated the server. It also makes the client run code from a source it hasn't verified yet. So all the phisher needs to do is get in the middle and proxy the protocol in either direction. That is not too hard in the phishing scenario, and nothing in acutrust makes it much harder. Can't be fixed either, as you need a decent way to authenticate the server to fix it, and that's what you're trying to solve. I wrote about the underlying issue in phishing years back, in early 1997, back when everyone still thought SSL made it impossible. That's so long ago(*) now that the only place I can find my own paper is here (I really must update it one of these days, seeing as hardly anything has changed in almost 10 years, except that now this actually happens!): http://web.archive.org/web/19980131231134/http://www.brd.ie/papers/sslpaper/sslpaper.html I still strongly suspect that the real fix for phishing is to modify the browser SSL handler and the server certificate, such that the browser can automatically authenticate that the text or image in the hyperllink that the user clicks on really 'belongs' to the server. That is, proper end to end authentication, instead of authentication of meaningless details that users do not understand (DNS names). That's described in a bit more detail in the paper. Unfortunately that means making a small change to the browser, as well as to the way CAs create certificates - both are disruptive changes, although could be made backwards compatible. Also, back then neither browsers nor X.509 really supported extensions - now that both of them do (well at least firefox does - is there another browser? :-), and now that this is an highly visible problem, maybe the time is right to actually implement some kind of proof of concept. I'd be happy to participate if anyone is interested. Cheers, Frank. (*) As an indication of just how old the paper is, it even mentions SET :-)
Current thread:
- Re: Re: Article - A solution to phishing jcjhilvfgvqcf (Jul 14)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)
- Re: Article - A solution to phishing Saqib Ali (Jul 14)
- Re: Article - A solution to phishing Frank O'Dwyer (Jul 14)
- Re: Re: Article - A solution to phishing bluewizard83-de4gahsh (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- Re: @CHECK Re: Re: Article - A solution to phishing Dennis W. Kennedy (Jul 18)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- <Possible follow-ups>
- Re: Article - A solution to phishing mike (Jul 14)
- RE: Re: Article - A solution to phishing Simon Zuckerbraun (Jul 14)
- RE: Re: Article - A solution to phishing Leandro Meiners (Jul 15)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)