If two-factor authentication was actually usable (i.e. <keygen> & friends were replaced by something mere mortals could understand), these kinds of attacks would be much less powerful.
It is somewhat funny that VISA and MasterCard have spent 15Y+ on failing establishing a secure and convenient method for performing credit-card payments on the Internet. Anders On 2013-01-05 05:11, Jeffrey Walton wrote: > Hi All, > >>From Dr. Geer on the Cryptography mailing list > (http://lists.randombit.net/mailman/listinfo/cryptography). > > Its another reason to pin your certificates. Stop accepting the > "broken" as the "norm". > > Not everyone is a bank who can be irresponsible and pass losses caused > by mistakes onto share holders in pursuit of profits (re: risk > acceptance). In some cases, people's lives depend upon it. > > +1 to Google and AOSP for recognizing the problem, and taking action > early. I owe the security team a beer. > > Jeff > > ---------- Forwarded message ---------- > From: <[email protected]> > Date: Fri, Jan 4, 2013 at 6:40 PM > Subject: [cryptography] another cert failure > To: [email protected] > > you may have already seen this, but > > http://www.bbc.co.uk/news/technology-20908546 > > Cyber thieves pose as Google+ social network > > The lapse let cyber thieves trick people into thinking they were > on Google+ Continue reading the main story Related Stories > Cyber-warriors join treasure hunt Insecure websites set to be named > Warning over web security attack Web browser makers have rushed to > fix a security lapse that cyber thieves abused to impersonate Google+ > > The loophole exploited ID credentials that browsers use to ensure > a website is who it claims to be. > > By using the fake credentials, criminals created a website that > purported to be part of the Google+ social media network. > > The fake ID credentials have been traced back to Turkish security > firm TurkTrust which mistakenly issued them. > > ... > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
