An attack on paypal --> secure UI for browsers

Nomen Nescio nobody at dizum.com
Tue Jun 10 18:30:10 PDT 2003


Adam Lydick writes:

> I'd guess that no applications (besides the secure nexus) would
> have access to your "list of doggie names", just the ability to display
> it. The list just indicates that you are seeing a window from one of
> your partitioned and verified applications. I would also assume the
> window would get decorated with the name of the trusted application (not
> just your secret list). Thus you only need a single secret list to
> handle all of your "authorized" applications.

That makes sense.  However it puts the burden onto the user to closely
inspect his window frames in order to make sure that he is talking
to the program (or NCA in Palladium) that he thinks he is talking to.
It also introduces the problem of program-name spoofing; you might be
given a dialog to enter your password for Paypa1 or E-Go1d.

If users were that careful, we wouldn't have these kinds of problems in
the first place.





More information about the cypherpunks-legacy mailing list