[security] Phishing: Bookmarks to the rescue?
Dick Hardt
dick at sxip.com
Sat Jan 20 23:38:19 PST 2007
On 20-Jan-07, at 11:31 PM, Ka-Ping Yee wrote:
> On Sat, 20 Jan 2007, Dick Hardt wrote:
>> Hi Ka-Ping
>
> Hi, Dick!
Hey back, nice to see you on the list!
>
>> The MITM attack allows the bad guy to modify any headers being sent
>> to the real OP, including the Referer: header. An unsuspecting user
>> will just type in their credentials as they will see the usual
>> prompt, forgetting they are supposed to go to the OP via the
>> bookmark. So unfortunately this solution is easily defeated.
>
> The solution is defeated if the user enters credentials without
> using the bookmark.
>
> The hypothesis is that a user who chooses BookmarkID will be better
> at remembering to use the bookmark. This won't work for everyone,
> but I think it might work pretty well for some of us. OpenID lets
> us do the experiment.
I think it is an interesting stab at how to solve the problem -- but
I think the core part of your strategy was the lack of the Referer:
header, which is easily defeated.
Experiments are good -- just not with real people's identity!
btw: we should decide where we will have the conversation. Here or on
your blog! :-)
More information about the security
mailing list