On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote: > I don't follow. What are banks doing on the web now to force clients > to authenticate them, and how is it any different from the model of > training users to check the SSL certificate?
Some banks (mostly Swiss and German, from what I've seen) are requiring two-token authentication, and that second "token" is really the way that the client authenticates the server: when you "install" your banking application, you're really installing the keys you need to authenticate the server and for the server to authenticate you. > There's a fundamental problem that you can't make someone else do > authentication if they don't want to, and that's exactly the situation > clients are in. Right, but you can train users to expect authentication of the server. One way to do that is to require them to use an intrusive enough system that they end up learning what to look for in a phish attack. That said, I tend to agree with you: if we had dnssec everywhere today, it's totally unclear to me what client applications would do in the event they got a "bogus" resolution. A ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend