Re: [dix] Agenda bashing
"Haripriya S" <sharipriya@novell.com> Tue, 04 July 2006 10:10 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fxhr5-00066q-AK; Tue, 04 Jul 2006 06:10:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fxhr4-00064M-4O for dix@ietf.org; Tue, 04 Jul 2006 06:10:06 -0400
Received: from lucius.provo.novell.com ([137.65.81.172]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fxhr1-0001Y7-P5 for dix@ietf.org; Tue, 04 Jul 2006 06:10:06 -0400
Received: from INET-PRV1-MTA by lucius.provo.novell.com with Novell_GroupWise; Tue, 04 Jul 2006 04:09:57 -0600
Message-Id: <44AA8C35.A648.00B6.0@novell.com>
X-Mailer: Novell GroupWise Internet Agent 7.0.1
Date: Tue, 04 Jul 2006 04:11:40 -0600
From: Haripriya S <sharipriya@novell.com>
To: Digital Identity Exchange <dix@ietf.org>, EKR <ekr@networkresonance.com>
Subject: Re: [dix] Agenda bashing
References: <20060703172550.A182A222425@laser.networkresonance.com> <44A973DC.9040801@cisco.com><44A973DC.9040801@cisco.com> (Eliot Lear's message of "Mon, 03 Jul 2006 21:45:32 +0200") <86zmfqa0au.fsf@raman.networkresonance.com>
In-Reply-To: <86zmfqa0au.fsf@raman.networkresonance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc:
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
pwdHash can address two problems: a. theft of the passwords from one website and using the same at other websites b. theft of passwords for the target website by phishing But techniques like pwdHash cannot prevent phishing attacks where the phishing sites do not even validate the password from the user, but goes on to prompt and capture long-term credentials from the user like credit cards etc. As Eliot pointed out, in such cases it is the server which needs to be authenticated in a phish-proof way. Thanks and Regards, Haripriya >>> Eric Rescorla <ekr@networkresonance.com> 07/04/06 2:11 AM >>> Eliot Lear <lear@cisco.com> writes: > Eric Rescorla wrote: >> That's *one* way to attack phishing (at least the current form). >> There are others (cf. PwdHash) >> > > I'm sorry, but PwdHash is not enough of a reference for me to > understand, http://crypto.stanford.edu/PwdHash/ It's the first hit in Google, FWIW. > but I claim that the most *effective* way to prevent > phishing is to demand that the server prove its identity enough to know > the right question to ask of the client. If PwdHash covers this ground, > then we agree. It doesn't. It uses an entirely different technique. I don't think it's profitable to argue about what "most effective" is, but I don't agree that the mechanism you describe is the only one. - Ekr _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- Re: [dix] Agenda bashing Eliot Lear
- [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Pete Resnick
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Haripriya S
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing thayes0993
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Ben Laurie
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- RE: [dix] Agenda bashing Hallam-Baker, Phillip
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eliot Lear
- Re: [dix] Agenda bashing Eric Rescorla
- Re: [dix] Agenda bashing Eliot Lear
- Re[2]: [dix] Agenda bashing Chris Drake