ietf
[Top] [All Lists]

RE: Symptoms vs. Causes

2007-09-13 10:04:25
You are both wrong.
 
Mouseclick loggers are commonplace. They have been around for at least four 
years, about six months after banks in Brazil started to use mouse based 
keyboards. Some of them capture the screen area round the mouse pointer at the 
time of the click.
 

________________________________

From: Eric Rescorla [mailto:ekr(_at_)networkresonance(_dot_)com]
Sent: Thu 13/09/2007 11:27 AM
To: michael(_dot_)dillon(_at_)bt(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: Symptoms vs. Causes



At Thu, 13 Sep 2007 16:14:47 +0100,
<michael(_dot_)dillon(_at_)bt(_dot_)com> wrote:


So much for typing. How about selecting password letters
from dropdown
boxes, or from an image map with scrambled letters that was sent to
the browser.

Sorry, what about these? They have essentially the same
security properties as cleartext passwords.

One would hope that all communication from the browser to the server
is encrypted as in SSL regardless of whether passwords go in
cleartext or whether there is some Javascript to encrypt them
first. In that case, the big issue is keylogging software that has
been widely installed by malware distributed by Phishing
organizations. Key-stroke loggers do not look at mouse-clicks.

(1) No, this technique is still easily phished by someone who
    impersonates the image map.
(2) It's easy to write keyloggers that would capture mouse clicks.
    Nobody does it because the imagemap technique is not widely
    used. If it were, that would change.


Second, it doesn't take that many phishing attacks to extract
most of the secret word.

Depends on length of said word/phrase. Also, I can see how naïve
people are fooled by the first email, but surely the percentage who
would click on each successive email, decreases.

That's far from clear, but even if it were so, the phisher can force
multiple trials on the same phishing email, as if you had mistyped,
thus recovering significant portions of the secret word. And of
course, this either requires multiple secret words or a strong
password equivalent on the server side.


You've mentioned man-in-the-middle attacks. Such attacks cannot be
prevented if the user interface requires cleartext inputs.

I suppose it depends on what you mean by "cleartext inputs". See:

  [0] J. Alex Halderman, Brent Waters, and Edward W. Felten, "A Convenient
  Method for Securely Managing Passwords", In Proceedings of the 14th
  International World Wide Web Conference (WWW 2005)
 
  [1] Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. 
Mitchell
  Stronger Password Authentication Using Browser Extensions.
  Proceedings of the 14th Usenix Security Symposium, 2005.

-Ekr

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
<Prev in Thread] Current Thread [Next in Thread>