RE: Symptoms vs. Causes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: Re: Symptoms vs. Causes
You are both wrong.
 
Mouseclick loggers are commonplace. They have been around for at least four years, about six months after banks in Brazil started to use mouse based keyboards. Some of them capture the screen area round the mouse pointer at the time of the click.
 


From: Eric Rescorla [mailto:ekr@xxxxxxxxxxxxxxxxxxxx]
Sent: Thu 13/09/2007 11:27 AM
To: michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: Re: Symptoms vs. Causes

At Thu, 13 Sep 2007 16:14:47 +0100,
<michael.dillon@xxxxxx> wrote:
>
>
> > > So much for typing. How about selecting password letters
> > from dropdown
> > > boxes, or from an image map with scrambled letters that was sent to
> > > the browser.
> >
> > Sorry, what about these? They have essentially the same
> > security properties as cleartext passwords.
>
> One would hope that all communication from the browser to the server
> is encrypted as in SSL regardless of whether passwords go in
> cleartext or whether there is some _javascript_ to encrypt them
> first. In that case, the big issue is keylogging software that has
> been widely installed by malware distributed by Phishing
> organizations. Key-stroke loggers do not look at mouse-clicks.

(1) No, this technique is still easily phished by someone who
    impersonates the image map.
(2) It's easy to write keyloggers that would capture mouse clicks.
    Nobody does it because the imagemap technique is not widely
    used. If it were, that would change.


> > Second, it doesn't take that many phishing attacks to extract
> > most of the secret word.
>
> Depends on length of said word/phrase. Also, I can see how naïve
> people are fooled by the first email, but surely the percentage who
> would click on each successive email, decreases.

That's far from clear, but even if it were so, the phisher can force
multiple trials on the same phishing email, as if you had mistyped,
thus recovering significant portions of the secret word. And of
course, this either requires multiple secret words or a strong
password equivalent on the server side.


> You've mentioned man-in-the-middle attacks. Such attacks cannot be
> prevented if the user interface requires cleartext inputs.

I suppose it depends on what you mean by "cleartext inputs". See:

  [0] J. Alex Halderman, Brent Waters, and Edward W. Felten, "A Convenient
  Method for Securely Managing Passwords", In Proceedings of the 14th
  International World Wide Web Conference (WWW 2005)
 
  [1] Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell
  Stronger Password Authentication Using Browser Extensions.
  Proceedings of the 14th Usenix Security Symposium, 2005.

-Ekr

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]