-- Forwarded message --
From: Igor Bukanov
Date: 11 October 2013 15:02
Subject: Re: Defending against malicious SSL proxy
To: Brian Smith
>From a practical point of view anything that requires changes in the
existing SSL infrastructure cannot be deployed quickly. Moreo
> I don't know the details of J-Pake etc.,
This is a type of protocols that allows *mutual* authentication using
simple passwords or other shared secrets without leaking any
information about the passwords (so dictionary attacks on the captured
traffic etc does not work). As a result of the authe
> Why is this attack not thwarted by the use of external secure keys?
Currently the bank uses a password and a hardware token. Changing that
is a long process and using JS-based RSA is considered a temporary
measure to raise the bar for attackers.
> That's what my bank has issued me. The one-time
e:
> On 30/09/13 20:35 PM, Igor Bukanov wrote:
> ...
>
>> A real experience shows that a substantial number of those fraud
>> attempts comes from computers where malware installs own root
>> certificate and then install either real or transparent proxy. The
>> access
On the current web it is a matter of fact that a banking site should
be developed under assumption that a substantial number of users use
infected computers with some of them would attempt to perform a banking fraud.
A real experience shows that a substantial number of those fraud
attempts comes f
