Network Security: Detailed info on RE: Proposal to anti-phishing

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

RE: Proposal to anti-phishing

from [Michael Silk] Network Security

[Permanent Link]

Subject:	RE: Proposal to anti-phishing
Date:	Tue, 18 Jan 2005 23:44:15 -0800

Rogan,

The only possible attack against SSL client certs is against the
"re-issue" process, I think, and there again, the bank has control. The
way I see it, the phisher could try to get the user to "renew" their
cert, by providing some authenticating information that the phisher
could try to use to get a new cert from the bank. But, the key here is
"from the BANK".


 Could even be as simple as presenting a message such as:

 "Our cert system is down, please enter your phone banking details
here to gain access".

 Another issue with SSL client certs (please correct me if i'm wrong)
is that it's basically sitting on the computer 24/7. If you can gain
access to the machine it's on you (Joe hacker..) can then take it and
use it elsewhere.

 And laptops that are used by multiple employee's or family members,
or robbers.. ?

 And on this note, it would mean it's fairly difficult for a user to
use their banking from work and home with this setup, isn't it ?

-- Michael

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Proposal to anti-phishing, (continued) Re: Proposal to anti-phishing, Rogan Dawes Re: Proposal to anti-phishing, Moksha Faced Re: Proposal to anti-phishing, Jimi Thompson RE: Proposal to anti-phishing, Lyal Collins Re: Proposal to anti-phishing, Robert Hajime Lanning Re: Proposal to anti-phishing, Frank Knobbe Re: Proposal to anti-phishing, Florian Weimer RE: Proposal to anti-phishing, ACMurray RE: Proposal to anti-phishing, Michael Silk Re: Proposal to anti-phishing, exon RE: Proposal to anti-phishing, Michael Silk <= Re: Proposal to anti-phishing, Rogan Dawes Re: Proposal to anti-phishing, Michael Silk Re: Proposal to anti-phishing, Rogan Dawes Re: Proposal to anti-phishing, Michael Silk Re: Proposal to anti-phishing, Rogan Dawes RE: Proposal to anti-phishing, Michael Silk RE: Proposal to anti-phishing, Adler Eliacin Re: Proposal to anti-phishing, Michael Silk Re: Proposal to anti-phishing, Mike Podanoffsky RE: Proposal to anti-phishing, Harper.Matthew

Previous by Date:	Re: SQL injection, James Riden
Next by Date:	RE: Content monitorting in Application Security, Ofer Shezaf
Previous by Thread:	Re: Proposal to anti-phishing, exon
Next by Thread:	Re: Proposal to anti-phishing, Rogan Dawes
Indexes:	[Date] [Thread] [Top] [All Lists]