Re: [Cryptography] Toxic Combination
On Mon, Dec 1, 2014, at 08:55 AM, Guido Witmond wrote:
And this is taken advantage of every day by phishing attacks. However although your solution of setting up DNSSEC and DANE is the _correct_ solution, it's just too complex and hard to get right for a lot of system admins so it's not going to get uptake - just look at how PGP is also the _correct solution_ for encrypting messages and yet has not had the uptake since 1991! I think a better solution would be something like implementing Digest Authentication (RFC 2069, but replacing MD5 with something like AES-256 and allow it to be upgradable) in the browser. The password field value would then be replaced with the value from the DA call and no secrets would be leaked. This solution would get way faster adoption. Alfie
-- Alfie John alfiej@fastmail.fm
On Sun, Nov 30, 2014 at 2:58 PM, Alfie John <alfiej@fastmail.fm> wrote:
There's also the FIDO Alliance's Universal Authentication Factor: http://fidoalliance.org/specs/fido-uaf-overview-v1.0-rd-20140209.pdf -- Tony Arcieri
On Mon, Dec 01, 2014 at 09:58:25AM +1100, Alfie John wrote:
just look at how PGP is also the _correct solution_ for encrypting messages and yet has not had the uptake since 1991!
the truth of this statement depends heavily on the threat model. the-amongst others-all-archiving kraaken is copying all pgp-cryptograms, as they are shiny beacons of cryptographic interest. not only do they generally disclose the recipients in plaintext metadata, but considering the ANT catalog, hacking team, finfisher FinISP and other market offers for cheap side channel attacks to recover key material, i would say this statement was true until a few years ago. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
participants (3)
-
Alfie John -
stef -
Tony Arcieri