You are both wrong. Mouseclick loggers are commonplace. They have been around for at least four years, about six months after banks in Brazil started to use mouse based keyboards. Some of them capture the screen area round the mouse pointer at the time of the click.
________________________________ From: Eric Rescorla [mailto:[EMAIL PROTECTED] Sent: Thu 13/09/2007 11:27 AM To: [EMAIL PROTECTED] Cc: ietf@ietf.org Subject: Re: Symptoms vs. Causes At Thu, 13 Sep 2007 16:14:47 +0100, <[EMAIL PROTECTED]> wrote: > > > > > So much for typing. How about selecting password letters > > from dropdown > > > boxes, or from an image map with scrambled letters that was sent to > > > the browser. > > > > Sorry, what about these? They have essentially the same > > security properties as cleartext passwords. > > One would hope that all communication from the browser to the server > is encrypted as in SSL regardless of whether passwords go in > cleartext or whether there is some Javascript to encrypt them > first. In that case, the big issue is keylogging software that has > been widely installed by malware distributed by Phishing > organizations. Key-stroke loggers do not look at mouse-clicks. (1) No, this technique is still easily phished by someone who impersonates the image map. (2) It's easy to write keyloggers that would capture mouse clicks. Nobody does it because the imagemap technique is not widely used. If it were, that would change. > > Second, it doesn't take that many phishing attacks to extract > > most of the secret word. > > Depends on length of said word/phrase. Also, I can see how naïve > people are fooled by the first email, but surely the percentage who > would click on each successive email, decreases. That's far from clear, but even if it were so, the phisher can force multiple trials on the same phishing email, as if you had mistyped, thus recovering significant portions of the secret word. And of course, this either requires multiple secret words or a strong password equivalent on the server side. > You've mentioned man-in-the-middle attacks. Such attacks cannot be > prevented if the user interface requires cleartext inputs. I suppose it depends on what you mean by "cleartext inputs". See: [0] J. Alex Halderman, Brent Waters, and Edward W. Felten, "A Convenient Method for Securely Managing Passwords", In Proceedings of the 14th International World Wide Web Conference (WWW 2005) [1] Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell Stronger Password Authentication Using Browser Extensions. Proceedings of the 14th Usenix Security Symposium, 2005. -Ekr _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
