On Fri, Dec 28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote:
> I don't follow. What are banks doing on the web now to force clients
> to authenticate them, and how is it any different from the model of
> training users to check the SSL certificate?
Some banks (mostly Swiss and German, from what I've seen) are requiring
two-token authentication, and that second "token" is really the way that the
client authenticates the server: when you "install" your banking
application, you're really installing the keys you need to authenticate the
server and for the server to authenticate you.
> There's a fundamental problem that you can't make someone else do
> authentication if they don't want to, and that's exactly the situation
> clients are in.
Right, but you can train users to expect authentication of the server. One
way to do that is to require them to use an intrusive enough system that
they end up learning what to look for in a phish attack. That said, I tend
to agree with you: if we had dnssec everywhere today, it's totally unclear
to me what client applications would do in the event they got a "bogus"
resolution.
A