[cap-talk] [Fwd: RE: [Fwd: Re: "Secure Bookmark" terminology and Phoolproof Phishing Preventing from CMU]]
Mark S. Miller
markm at cs.jhu.edu
Fri Sep 8 00:14:38 CDT 2006
Oops. I just realized that Brian's response hadn't shown up on cap-talk. So,
for the record, here it is.
-------- Original Message --------
Subject: RE: [Fwd: Re: [cap-talk] "Secure Bookmark" terminology and Phoolproof
Phishing Preventing from CMU]
Date: Fri, 8 Sep 2006 00:33:03 -0400
From: Bryan Parno <parno at cmu.edu>
To: 'Mark S. Miller' <markm at cs.jhu.edu>
CC: <cap-talk at mail.eros-os.org>
I would have to agree with Eric's response. The concern would be a
phishing site that also spoofs the portion of the browser UI that displays
the Petname. If the phisher can guess the Petname that the user has chosen,
then they can display it as part of the Petname spoof, and the user will not
detect that they have visited a phishing site.
A well-chosen Petname would make this attack much harder, but some people
will probably choose poor Petnames. Since phishing attacks scale relatively
well, the phishers would have an incentive to attempt this attack, as even a
low success rate could still prove lucrative.
I'm heading out of town for a few weeks tomorrow, so my access to email
will be sporadic. I look forward to continuing our discussions when I
return.
Bryan
More information about the cap-talk
mailing list