From: Eric Rescorla [mailto:ekr@xxxxxxxxxxxxxxxxxxxx]
Sent: Thu 13/09/2007 11:27 AM
To: michael.dillon@xxxxxx
Cc: ietf@xxxxxxxx
Subject: Re: Symptoms vs. Causes
At Thu, 13 Sep 2007 16:14:47 +0100,
<michael.dillon@xxxxxx> wrote:
>
>
> > > So much for typing. How about selecting password letters
> > from dropdown
> > > boxes, or from an image map with scrambled letters that was sent to
> > > the browser.
> >
> > Sorry, what about these? They have essentially the same
> > security properties as cleartext passwords.
>
> One would hope that all communication from the browser to the server
> is encrypted as in SSL regardless of whether passwords go in
> cleartext or whether there is some _javascript_ to encrypt them
> first. In that case, the big issue is keylogging software that has
> been widely installed by malware distributed by Phishing
> organizations. Key-stroke loggers do not look at mouse-clicks.
(1) No, this technique is still easily phished by someone who
impersonates the image map.
(2) It's easy to write keyloggers that would capture mouse clicks.
Nobody does it because the imagemap technique is not widely
used. If it were, that would change.
> > Second, it doesn't take that many phishing attacks to extract
> > most of the secret word.
>
> Depends on length of said word/phrase. Also, I can see how naïve
> people are fooled by the first email, but surely the percentage who
> would click on each successive email, decreases.
That's far from clear, but even if it were so, the phisher can force
multiple trials on the same phishing email, as if you had mistyped,
thus recovering significant portions of the secret word. And of
course, this either requires multiple secret words or a strong
password equivalent on the server side.
> You've mentioned man-in-the-middle attacks. Such attacks cannot be
> prevented if the user interface requires cleartext inputs.
I suppose it depends on what you mean by "cleartext inputs". See:
[0] J. Alex Halderman, Brent Waters, and Edward W. Felten, "A Convenient
Method for Securely Managing Passwords", In Proceedings of the 14th
International World Wide Web Conference (WWW 2005)
[1] Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell
Stronger Password Authentication Using Browser Extensions.
Proceedings of the 14th Usenix Security Symposium, 2005.
-Ekr
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf