[cap-talk] "Secure Bookmark" terminology and Phoolproof Phishing Preventing from CMU
Eric Jacobs
eric at theeric.com
Thu Sep 7 22:12:27 CDT 2006
On Thu, 07 Sep 2006 19:35:17 -0700
"Mark S. Miller" <markm at cs.jhu.edu> wrote:
> Your text above clearly states "user-assigned", but you still think spoofing
> is an issue. Why does it matter if an attacker correctly guesses that my
> petname for Amazon.com is "Amazon"? What attack does this enable?
It still enables spoofing of the UI - e.g., simulating a pop-up window. This
can probably be resolved, but I'd think it would take a great deal of
redesigning GUI systems from a security perspective. In addition, I expect
that users will need _some_ incentive for making sure they are spoof-proof
(kinda like a good driver's discount, eh?)
Passwords are the real problem though. If they can be replaced or augmented
with crypto, as this project is doing, I think that would improve security in
a big way.
> For more on petnames, please see
> <https://www.financialcryptography.com/mt/archives/000499.html>. (Note: when
> discussing petname systems, "nickname" refers to a distinct concept. To avoid
> confusion, please do not refer to petnames as nicknames. Thanks.)
What's the difference?
More information about the cap-talk
mailing list