Re: Symptoms vs. Causes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At Thu, 13 Sep 2007 16:14:47 +0100,
<michael.dillon@xxxxxx> wrote:
> 
> 
> > > So much for typing. How about selecting password letters 
> > from dropdown 
> > > boxes, or from an image map with scrambled letters that was sent to 
> > > the browser.
> > 
> > Sorry, what about these? They have essentially the same 
> > security properties as cleartext passwords.
> 
> One would hope that all communication from the browser to the server
> is encrypted as in SSL regardless of whether passwords go in
> cleartext or whether there is some Javascript to encrypt them
> first. In that case, the big issue is keylogging software that has
> been widely installed by malware distributed by Phishing
> organizations. Key-stroke loggers do not look at mouse-clicks.

(1) No, this technique is still easily phished by someone who
    impersonates the image map.
(2) It's easy to write keyloggers that would capture mouse clicks.
    Nobody does it because the imagemap technique is not widely
    used. If it were, that would change.


> > Second, it doesn't take that many phishing attacks to extract 
> > most of the secret word.
> 
> Depends on length of said word/phrase. Also, I can see how naïve
> people are fooled by the first email, but surely the percentage who
> would click on each successive email, decreases.

That's far from clear, but even if it were so, the phisher can force
multiple trials on the same phishing email, as if you had mistyped,
thus recovering significant portions of the secret word. And of 
course, this either requires multiple secret words or a strong
password equivalent on the server side.


> You've mentioned man-in-the-middle attacks. Such attacks cannot be
> prevented if the user interface requires cleartext inputs.

I suppose it depends on what you mean by "cleartext inputs". See:

  [0] J. Alex Halderman, Brent Waters, and Edward W. Felten, "A Convenient
  Method for Securely Managing Passwords", In Proceedings of the 14th
  International World Wide Web Conference (WWW 2005)
  
  [1] Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell
  Stronger Password Authentication Using Browser Extensions.
  Proceedings of the 14th Usenix Security Symposium, 2005.

-Ekr

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]