IETF Logo Mail Archive

Re: [dix] Agenda bashing

"Haripriya S" <sharipriya@novell.com> Tue, 04 July 2006 10:10 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fxhr5-00066q-AK; Tue, 04 Jul 2006 06:10:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fxhr4-00064M-4O for dix@ietf.org; Tue, 04 Jul 2006 06:10:06 -0400
Received: from lucius.provo.novell.com ([137.65.81.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fxhr1-0001Y7-P5 for dix@ietf.org; Tue, 04 Jul 2006 06:10:06 -0400
Received: from INET-PRV1-MTA by lucius.provo.novell.com with Novell_GroupWise; Tue, 04 Jul 2006 04:09:57 -0600
Message-Id: <44AA8C35.A648.00B6.0@novell.com>
X-Mailer: Novell GroupWise Internet Agent 7.0.1
Date: Tue, 04 Jul 2006 04:11:40 -0600
From: Haripriya S <sharipriya@novell.com>
To: Digital Identity Exchange <dix@ietf.org>, EKR <ekr@networkresonance.com>
Subject: Re: [dix] Agenda bashing
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com><44A973DC.9040801@cisco.com> (Eliot Lear's message of "Mon, 03 Jul 2006 21:45:32 +0200") <86zmfqa0au.fsf@raman.networkresonance.com>
In-Reply-To: <86zmfqa0au.fsf@raman.networkresonance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc:
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

pwdHash can address two problems: 
 a. theft of the passwords from one website and using the same at other
websites
 b. theft of passwords for the target website by phishing
But techniques like pwdHash cannot prevent phishing attacks where the
phishing sites do not even validate the password from the user, but goes
on to prompt and capture long-term credentials from the user like credit
cards etc. As Eliot pointed out, in such cases it is the server which
needs to be authenticated in a phish-proof way.

Thanks and Regards,
Haripriya
 
>>> Eric Rescorla <ekr@networkresonance.com> 07/04/06 2:11 AM >>> 
Eliot Lear <lear@cisco.com> writes:

> Eric Rescorla wrote:
>> That's *one* way to attack phishing (at least the current form).
>> There are others (cf. PwdHash)
>>   
>
> I'm sorry, but PwdHash is not enough of a reference for me to
> understand,

http://crypto.stanford.edu/PwdHash/

It's the first hit in Google, FWIW.


> but I claim that the most *effective* way to prevent
> phishing is to demand that the server prove its identity enough to
know
> the right question to ask of the client.  If PwdHash covers this
ground,
> then we agree.

It doesn't. It uses an entirely different technique.

I don't think it's profitable to argue about what "most effective"
is, but I don't agree that the mechanism you describe is the only
one.

- Ekr



_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email