[Ietf-http-auth] Pondering some issues on the phishing
draft
Eric Rescorla
ekr at networkresonance.com
Wed Oct 24 05:03:06 PDT 2007
At Wed, 24 Oct 2007 15:48:01 +1000,
christopher at pobox.com wrote:
>
> Hi Eric,
>
> Cookies work, yes
No, cookies don't work.
The problem, as I said, is that any mechanism which relies on cookies
needs a recovery mechanism in case the cookie gets lost. That recovery
mechanism generally entails a bunch of challenge questions. But
now those challenge questions themselves become a phishing target.
> - so you answered your own question for 99.9% of use
> cases (the remaining 0.1% being folks who regularly use machines they
> can't store their cookies on). You also highlighted the drawbacks of
> pwdhash - how does a user do anything on the theoretical "new device",
> especially one like a phone or work PC that has no plugin or admin
> rights?
> Anyhow - while cookies work - that's still boringly "inside the box"
> and assuming far too much. Here's the MD5s of my next reply to you:
> 1134102756cd5c895709aeb9d821b4da 82b4f03e38fc086ade8d35a4a743c7b9
>
> Have a go at lateral-thinking, jump outside the box, and let me know
> what better ideas you can come up with besides cookies. Hint:
> challenge *all* your assumptions :-)
How about instead we skip the game playing and you describe what
you have in mind?
-Ekr
More information about the Ietf-http-auth
mailing list