« November »
SunMonTueWedThuFriSat
  12345
6789101112
13141516171819
20212223242526
27282930   
       
About
Categories
Syndication
Locations of visitors to this page

Powered by blojsom

Radovan Semančík's Weblog

Friday, 18 November 2005
« Enterprise IDM: Part 3: Roles | Main | Writebacks »

I've recently found Dan Blum's Identerati blog and found there a piece that explains why "strong" authentication will not fix phising. And it really struck me. How anyone could ever think that one-way authentication can fix a man-in-the-middle attack? What kind of people are out there?

Some environments can really surprise me. It is only few years ago that I've learned that some American bank did use only simple passwords for Internet banking access. "What a foolishness", I tought. Here, in the barbaric eastern europe no bank would ever risk that. Even the technologically least advanced bank deployed at least some kind of "strong" auth before the break of the millenium. And even with strong auth there were some braches. Nothing public, of course :-)

Only later I've learned that it is common practice in the US to use passwords only. Real foolishness. I'm no fan of so called "strong authentication", because that is usually just a one-way dynamic password authentication scheme(*) packaged in a nice box. But even that is much better than static passwords.

(*) Oh yeah, you can "secure" the "strong" auth by wrapping the HTML form in SSL. But, have you ever seen the list of "trusted" Certificate Authorities in your browser? No? Then go on and have a look. I would bet that there are many of them that you've never heard of. Do you trust them? I'm sure you do.

Posted by semancik at 10:24 AM in security

Add your comment:
(not displayed)
Generate another code
SCode

Please enter the code as seen in the image above to post your comment.
 
 
Your comments will be submitted for approval by blog owner to avoid comment spam. It will not appear immediately. Also please be sure to fill out all mandatory fields (marked by asterisk). This ... ehm ... imperfect software does not have any error indication for missing input fields.
 
 

 

[Trackback URL for this entry]