[Ietf-http-auth] Pondering some issues on the phishing draft

christopher at pobox.com christopher at pobox.com
Tue Oct 23 22:48:01 PDT 2007

Hi Eric,

Cookies work, yes - so you answered your own question for 99.9% of use
cases (the remaining 0.1% being folks who regularly use machines they
can't store their cookies on).  You also highlighted the drawbacks of
pwdhash - how does a user do anything on the theoretical "new device",
especially one like a phone or work PC that has no plugin or admin

Anyhow - while cookies work - that's still boringly "inside the box"
and assuming far too much.  Here's the MD5s of my next reply to you:
1134102756cd5c895709aeb9d821b4da 82b4f03e38fc086ade8d35a4a743c7b9

Have a go at lateral-thinking, jump outside the box, and let me know
what better ideas you can come up with besides cookies.  Hint:
challenge *all* your assumptions :-)


Wednesday, October 24, 2007, 3:05:43 PM, you wrote:

ER> At Wed, 24 Oct 2007 14:50:13 +1000,
ER> christopher at pobox.com wrote:
>> Hi Eric,
>> The shoe's the mutual auth - if it's wrong or missing, you're being
>> phished. When present, you've subtly compelled users to use the
>> "clue", which was Sam's other big worry.

ER> And what stops the attacker from entering your userid and seeing the
ER> same picture? In the past, when I've seen systems like this, the
ER> client stores some cookie which tells the server which picture to
ER> show. But when the user uses a new device, or the client forgets the
ER> cookie, they get prompted with some extended authentication
ER> dialog---which is a good candidate for phishing. And since due to
ER> various glitches this happens somewhat frequently...

ER> -Ekr

More information about the Ietf-http-auth mailing list