Posted by:
admin
15 years, 7 months ago
The Washington Post Security Fix points out how phishers are exploiting weakness in the certificate granting process to fool users.It is interesting because: 1.) The attacker gets a real GeoTrust cert with a similar name to the financial institution and 2.) the offer to sign up for Verified by Visa includes the first 5 digits of the credit card, which are the same for all the cards from the FI.
What it makes me think is: what is the value of a cert from GeoTrust vs. a home-rolled cert combined with mutual authentication and two-factor authentication from WiKID?
The trust in a signed certificate is based on the assumption that the signer has verified the site owner, which is clearly dubious. The trust in WiKID mutual authentication comes from the triangle between the WiKID server, the token client and the website. The token client validates that the site the user intends to visit has the same SSL certificate as the WiKID server has stored for that site. It doesn't matter if the cert is signed by a trusted CA - the only thing that matters is that the cryptography works.
Moreover, because the WiKID client launches the default browser to the site of the validated certificate, it's much easier for the user.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)