Re: Spoofing as the postmaster

On 12/28/07, Andrew Sullivan <ajs@crankycanuck.ca> wrote:
> On Sat, Dec 29, 2007 at 02:09:23AM +1100, Naz Gassiep wrote:

> > In the web world, it is the client's responsibility to ensure that they
> > check the SSL cert and don't do their banking at
> > www.bankofamerica.hax0r.ru and there is nothing that the real banking
> > site can do to stop them using their malware infested PC to connect to
> > the phishing site.

> The above security model is exactly how we got into the mess we're in:
> relying entirely on the good sense of a wide community of users is how
> compromises happen.  Strong authentication authenticates both ways.

> For instance, the web world you describe is not the only one.  Banks who
> take security seriously have multiple levels of authentication, have trained
> their users how to do this, and regularly provide scan tools to clients in
> an attempt (IMO possibly doomed) to reduce the chances of input-device
> sniffing.

I don't follow. What are banks doing on the web now to force clients
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?

There's a fundamental problem that you can't make someone else do
authentication if they don't want to, and that's exactly the situation
clients are in. I don't see how this can possibly be fixed anywhere
other than the client.