[OpenID] Phishing resistant policy of PAPE
Eric Norman
ejnorman at doit.wisc.edu
Wed Oct 29 00:41:14 UTC 2008
On Oct 28, 2008, at 7:21 PM, Breno de Medeiros wrote:
> On Tue, Oct 28, 2008 at 5:12 PM, Eric Norman <ejnorman at doit.wisc.edu>
> wrote:
>>
>> On Oct 28, 2008, at 6:41 PM, Breno de Medeiros wrote:
>>
>>> The phishing attack that you presented above is not a phishing attack
>>> that can be prevented.
>>
>> Information cards seem to provide effective resistance.
>
> Against sites that ask users for their credit cards?
Yes.
>> Some argue that EV certificates provide such resistance.
>
> Against sites that ask users for their credit cards?
Yes.
>> Some even argue that regular old server certificates can
>> provide such resistance.
>
> Against sites that ask users for their credit cards?
Yes.
>>
>
> I don't see how any of these technologies prevent against the attack
> you described.
Because they send a signal to the user that the other end is
who the user thinks it is. And a different signal if it isn't.
In the latter cases, the signal doesn't seem be be blatant
enough, but it's there.
Eric Norman
More information about the general
mailing list