On 02/28/2012 10:42 AM, Marsh Ray wrote:
By forcing the phishing attack to involve the legitimate site, it does one other thing: it puts the site in a position to require strong mutual authentication.
Let me clarify one little detail: web browsers will still send the HTTP request (including form POST data) to a PKI-enabled MitM. The MitM simply doesn't request (or doesn't validate) the client cert in the handshake.
The legitimate site only gets to detect the MitM before deciding whether or not to process the request and send a response.
- Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography