On 2013-01-05 13:51, Jeffrey Walton wrote: > On Sat, Jan 5, 2013 at 6:54 AM, Anders Rundgren > <[email protected]> wrote: >> If two-factor authentication was actually usable (i.e. <keygen> & friends >> were replaced by something mere mortals could understand), these >> kinds of attacks would be much less powerful. > Devil's advocate: what does two factor have to do with setting up a > secure channel based on a public ca hierarchy?
My bad, I really meant PKI (which though in my mind should be complemented by a PIN). Unlike passwords, PKI-based client-authentication doesn't give the fake site anything they could use for accessing your account on the real site. "Phish-safe". > > OT: are you aware of any PAKEs that use two factors (password and > token)? I don't recall any, and would have to get into the academic > literature. I don't know what a PAKE is :-( Anders > > Jeff > >> On 2013-01-05 05:11, Jeffrey Walton wrote: >>> Hi All, >>> >>> >From Dr. Geer on the Cryptography mailing list >>> (http://lists.randombit.net/mailman/listinfo/cryptography). >>> >>> Its another reason to pin your certificates. Stop accepting the >>> "broken" as the "norm". >>> >>> Not everyone is a bank who can be irresponsible and pass losses caused >>> by mistakes onto share holders in pursuit of profits (re: risk >>> acceptance). In some cases, people's lives depend upon it. >>> >>> +1 to Google and AOSP for recognizing the problem, and taking action >>> early. I owe the security team a beer. >>> >>> Jeff >>> >>> ---------- Forwarded message ---------- >>> From: <[email protected]> >>> Date: Fri, Jan 4, 2013 at 6:40 PM >>> Subject: [cryptography] another cert failure >>> To: [email protected] >>> >>> you may have already seen this, but >>> >>> http://www.bbc.co.uk/news/technology-20908546 >>> >>> Cyber thieves pose as Google+ social network >>> >>> The lapse let cyber thieves trick people into thinking they were >>> on Google+ Continue reading the main story Related Stories >>> Cyber-warriors join treasure hunt Insecure websites set to be named >>> Warning over web security attack Web browser makers have rushed to >>> fix a security lapse that cyber thieves abused to impersonate Google+ >>> >>> The loophole exploited ID credentials that browsers use to ensure >>> a website is who it claims to be. >>> >>> By using the fake credentials, criminals created a website that >>> purported to be part of the Google+ social media network. >>> >>> The fake ID credentials have been traced back to Turkish security >>> firm TurkTrust which mistakenly issued them. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
