Maybe It's Snake Oil All the Way Down

James A. Donald jamesd at echeque.com
Fri Jun 6 17:24:55 PDT 2003


    --
James A. Donald:
> > Certificate caching is not the problem that needs solving.
> > The problem is all this spam attempting to fool people into
> > logging in to fake BofA websites and fake e-gold websites,
> > to steal their passwords or credit card numbers

On 6 Jun 2003 at 15:04, Tim Dierks wrote:
> I don't think this problem is easier to solve (or at least I
> sure don't know how to solve it).

It is a hard problem with many well known solutions, none of
which have to my knowledge been implemented in HTTPS.  For
example one can use SPEKE, in which case setting up the account
involves sharing (or issuing) a password, but logging in to the
account does not require one to reveal the password to the site
where one is logging in.   In this case the fake website would
gain no useful information by luring the user to login to it.

The most HTTPS like solution would be to generate a keyfile
containing a self signed private key on one's computer, and
whenever one hit the website, it would do the HTTPS handshake
to log you in to that website's account for the public key
corresponding to your private key, however HTTPS does not seem
to directly support this model.   In this case the bogus web
site could log you in, but this would not leak any information
that would enable the operators of the bogus web site to login
to the real web site. 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     /JhekrYM+sQCMQKXhiWzhB3RnOv6PZROgxYwprXj
     4LHJfuGlcn7fO4tcfo20/t0cdEy/HyK++XiBVvMFy


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com





More information about the cypherpunks-legacy mailing list