[security] [dix] Re: Gathering requirements for in-browser OpenID support

Ben Laurie benl at google.com
Mon Oct 30 11:05:11 UTC 2006 

On 28/10/06, Chris Drake <christopher at pobox.com> wrote:
> Hi Ben,
>
> Apart from that blog where the blogger didn't realize that all banks
> immediately suspend accounts that get logged in to from Russia,
> Eastern Europe, Asia, and more generally - anyplace other than
> "normal" - and as such - can't ever work - no - phishing attacks are
> not MitM.  They're just bogus web sites that email captured
> credentials to hackers.  Sure - some hackers might be able to capture
> some token credentials, but they can't *use* them - not from Russia,
> and not after the 30seconds or so most token codes last for.
>
> Besides - and the most important thing really - there's no such thing
> that *I've* ever heard of that *can* be put into any protocol to
> prevent MitM attacks from succeeding.  If user A doesn't check their
> URL says site B when user A thinks they're on site C - then site B can
> merely proxy anything site C puts up, stealing whatever they want in
> the process.

Clearly you need to update your crypto knowledge. There are many
protocols that prevent MitM - for example, EKE.

Yes, site B can always proxy, but it doesn't help site B if he is
proxying a conversation he can't understand, by virtue of it being
encrypted.

> MitM is not a protocol problem - it's a "stupid user" problem.

Wrong.

>
> Kind Regards,
> Chris Drake
>
>
> Sunday, October 29, 2006, 2:28:03 AM, you wrote:
>
> BL> On 28/10/06, Chris Drake <christopher at pobox.com> wrote:
> >> BL> 2 factor auth gets you nowhere if the underlying protocols don't
> >> BL> protect you from MitM.
> >>
> >> What he *means* of course - is that 2-Factor auth solves pretty much
> >> every security problem users are likely to face in the wild
> >> (especially the most common and dangerous - phishing) - with the
> >> *exception* of Man-in-the-middle attacks, in some circumstances.
>
> BL> ? But many phishing attacks are MitM.
>
> >> It certainly doesn't "get you nowhere" - it almost always gets you
> >> exactly to where you want to be.
>
> BL> We seem to be drifting far from the original point, which was that the
> BL> protocols should protect users against MitM. 2-factor auth doesn't do
> BL> this, of itself. And if the protocols do provide protection, then
> BL> 2-factor auth defends against a rather small subset of attacks.
>
> >>
> >> Kind Regards,
> >> Chris Drake
> >>
> >>
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >>
>
>
>
>

More information about the general mailing list