[FoRK] Poisoned DNS and informal certificates

[silky]

On Feb 20, 2008 12:56 PM, Stephen D. Williams <sdw at lig.net> wrote:
> BofA (Bank of America) has had the image verification for a while as a
> sort of "you won't look at our certificate so look at this image that
> you picked from our small set instead".  Not really that great, but
> something.

it's worse then nothing because it, as with a lot of things, lulls
people into a false sense of security. it now becomes trivial for some
mitm site to say 'hey look at us, we are valid because we have your
image', and regardless of the warnings in browsers, or silly urls, or
something, the customer *trusts* that site because it displays the
image. it's bad to link trust to something that isn't actually
trustworthy. it creates a bad environment.


> Now, they have added an out of band communication verification that,
> these days, isn't bad.  I've seen something like this before using home
> phones for location verification, but that was doomed coming as it did
> just before we all went VOIP...
>
> BofA allows you to sign up for SMS verification.  For certain
> transactions, like adding a new payee, you are asking them to verify
> that it's really you by sending you an SMS verification code that you
> must then type in.  Out of band is one of the better solutions to the
> possibilities of man-in-the-middle attacks and insecure links in the
> chain (network, ISP, your Windows operating system, etc.).
>
> sdw

indeed.

-- 
http://lets.coozi.com.au/

A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?