Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Straw poll on TLS SRP status

[Jeffrey Altman <jaltman at secure-endpoints.com>]

Martin Rex wrote:
> I don't think the problem is with the technology (SSL client cert),
> but with the service providers.  They prefer to use passwords, because
> that is what everybody is used to and it has a fairly low cost to
> set up and operate.
>
> However, passwords have the fundamental flaw that they're always vulnerable
> to social engineering attacks, and phishing is basically a form of
> social engineering attack.  As long as passwords are used, phishing
> of some kind will remain possible.
>
>
> I never saw TLS-PSK as an interactive authentication scheme for use
> within a Web Browser.  IMHO that would be a pretty bad idea.
> TLS-PSK should be used only in scenarios that are NOT vulnerable
> to social engineering, something that is part of an initial
> configuration (like WPA/WPA2-keys for WLAN).
>
> Today, a Web-Browser (or any other component that interprets arbitrary
> content from arbitrary sources, or worse, execution or arbitrary code
> from arbitrary sources, aka "active content") is the largest security
> problem on every (inter)net connected computer and I have strong doubts
> that one can make it safe against social engineering attacks.
>
>
> One additional problem is "password sharing" accross accounts.
> Even if you can educate your users to check a dozen of attributes
> before entering their password into the secure prompt for 9 of
> their secure services, I doubt you will be able to prevent them from
> reusing a password on those services that remain traditional
> and vulnerable to phishing.
>
> -Martin
I believe that we all realize that passwords continue to be used because
they are
the lowest-common-denominator solution that can work.   I have always
considered
the use of passwords by SRP to be one of its strengths because it allows
systems to
transition to a secure form of mutual authentication without significant
retraining of
the user base.  Will the existence of TLS-SRP suddenly stop phishing? 
Absolutely not.
TLS-SRP is simply one more tool in the arsenal.

Sam Hartman's I-D, draft-hartman-webauth-phishing, covers all of the
bases.  Phishing
is a social engineering attack and until we can address the enrollment /
re-enrollment
challenges for on-line systems there are always going to be avenues. 
However, we
can make it more incrementally more difficult for the attacks to be
carried out.

Password sharing is a risk that can be mitigated against by password
expiration policies.
However, increasing the number of passwords that must be remembered
comes at
the cost of the increased risk that users will forget them and become
vulnerable to
an attack during re-enrollment.

Jeffrey Altman
Secure Endpoints Inc.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls