[liberationtech] Announcing a privacy preserving authentication protocol
Rich Kulawiec
rsk at gsp.org
Thu Mar 21 13:02:21 PDT 2013
On Tue, Mar 12, 2013 at 06:31:56PM -0500, Kyle Maxwell wrote:
> A. This doesn't eliminate phishing because users will still enter
> their credentials at a site that doesn't actually match the one where
> the cert was previously signed. Otherwise, existing HTTPS controls
> would already protect them.
True, but phishing is not currently a solvable problem anyway; it falls
into a class of problems that can't be solved no matter how much clever
technology is developed because all of that technology presumes that
end user systems are secure...annnnnd they're not. (Other problems in
that class: spam, email forgery, DDoS.)
A substantial percentage of end user systems are already compromised
(in full or part) and more of them are being compromised while you're
reading this. So unless this proposal or one like comes with a plan
to remediate a few hundred million systems, it may be beautiful in theory,
but it won't work in practice.
In passing, let me note that banks and other financial institutions are
aiding and abetting phishers by doing extremely stupid things like
(a) sending email marked up with HTML (b) sending email with URLs (c) sending
email with with web bugs (d) outsourcing their email. The irony is that
while those entities are busy *training* their customers to be phished,
they're constantly whining about how terribly awfully bad the situation is.
There is insufficient scotch to dull the pain of that much stupid.
---rsk
More information about the liberationtech
mailing list