[security] [dix] Re: Gathering requirements for in-browser OpenID support
Chris Drake
christopher at pobox.com
Sat Oct 28 16:56:24 UTC 2006
Hi Ben,
Apart from that blog where the blogger didn't realize that all banks
immediately suspend accounts that get logged in to from Russia,
Eastern Europe, Asia, and more generally - anyplace other than
"normal" - and as such - can't ever work - no - phishing attacks are
not MitM. They're just bogus web sites that email captured
credentials to hackers. Sure - some hackers might be able to capture
some token credentials, but they can't *use* them - not from Russia,
and not after the 30seconds or so most token codes last for.
Besides - and the most important thing really - there's no such thing
that *I've* ever heard of that *can* be put into any protocol to
prevent MitM attacks from succeeding. If user A doesn't check their
URL says site B when user A thinks they're on site C - then site B can
merely proxy anything site C puts up, stealing whatever they want in
the process.
MitM is not a protocol problem - it's a "stupid user" problem.
Kind Regards,
Chris Drake
Sunday, October 29, 2006, 2:28:03 AM, you wrote:
BL> On 28/10/06, Chris Drake <christopher at pobox.com> wrote:
>> BL> 2 factor auth gets you nowhere if the underlying protocols don't
>> BL> protect you from MitM.
>>
>> What he *means* of course - is that 2-Factor auth solves pretty much
>> every security problem users are likely to face in the wild
>> (especially the most common and dangerous - phishing) - with the
>> *exception* of Man-in-the-middle attacks, in some circumstances.
BL> ? But many phishing attacks are MitM.
>> It certainly doesn't "get you nowhere" - it almost always gets you
>> exactly to where you want to be.
BL> We seem to be drifting far from the original point, which was that the
BL> protocols should protect users against MitM. 2-factor auth doesn't do
BL> this, of itself. And if the protocols do provide protection, then
BL> 2-factor auth defends against a rather small subset of attacks.
>>
>> Kind Regards,
>> Chris Drake
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
More information about the security
mailing list