[cap-talk] [Fwd: Re: "Secure Bookmark" terminology and Phoolproof Phishing Preventing from CMU]
Mark S. Miller
markm at cs.jhu.edu
Tue Sep 12 00:36:11 CDT 2006
Mark S. Miller wrote:
> Bryan Parno wrote:
>> I would have to agree with Eric's response. The concern would be a
>> phishing site that also spoofs the portion of the browser UI that displays
>> the Petname.
>
> We need to be clear about claims and threat models. If the phishing site can
> spoof this, then that problem needs to be addressed first. Until it is,
> petnames do you no good. This is outside the threat model petnames themselves
> address. It is within the threat model addressed by DSS. The two are thereby
> complimentary.
Just today I found out that Ping and Kragen have started <http://passpet.org>,
which addresses these threats together in an integrated fashion. Good paper! I
look forward to using it.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list