security
James A. Donald
jamesd at echeque.com
Thu Oct 26 08:54:42 UTC 2006
--
James A. Donald wrote:
>> So on reflection, we do have to support multiple
>> levels of security - but this creates problems, which
>> must be solved.
>>
>> It is intolerable if this endangers the guy whose
>> identity is
>> https://www.bankamerica.com/finance/transactions/vp.htm
Martin Atkins wrote:
> I can't think of any situation where one person's
> unsecured identifier could compromise any other
> identifier, secured or otherwise.
Assume that what is typed in is
www.bankamerica.com/finance/transactions/vp.htm
Because DNS has poisoned, https does not work.
Relying party tries
http://www.bankamerica.com/finance/transactions/vp.htm
Gets bogus information.
As a result, the guy from bankamerica is logged in on an
account controlled by the adversary.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
WJxl2IZgKu0DZFxtRYmMuK0rOfyDpto1LrYBKEZ3
4Wu3MpZ/kLFtidf3eY9CuQWseRnrK6/Ijx843dxZU
More information about the general
mailing list