[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: [Cryptography] Verisimilitrust
From: Arnold Reinhold <agr () me ! com>
Date: 2016-01-18 14:14:35
Message-ID: BEA7C835-9239-407E-B7FC-605DA009D355 () me ! com
[Download RAW message or body]
> On Jan 16, 2016, at 11:51 PM, Kevin W. Wall <kevin.w.wall@gmail.com> wrote:
>
> On Sat, Jan 16, 2016 at 7:18 PM, Arnold Reinhold <agr@me.com> wrote:
> > On Wed, 13 Jan 2016 15:32 Ray Dillinger asked:
> >
> > > And what requirements does it have beyond or different from the X.509 PKI?
> > >
> > > In short, where is the new work that we still need to do?
> > >
> >
> > Top of my list would be a standard way to get or verify certificates via
> > QR-codes. Consumers are already familiar with them. Coupled with certificate
> > pinning, this would allow the whole CA mess to be bypassed in many important
> > cases, such as banking, health care and email. Most people have periodic
> > out-of-band contact with their banks, visiting offices, ATM machine kiosks, or
> > getting written statements. Health care usually entails in-person contact.
> > Scanning a QRcode on the wall or in the printed statement letterhead would
> > allow a direct establishment of trust. Email trust could be established when
> > exchanging business cards at first contact, and so on. Banks and others might
> > even get into the business of verifying certificates for business and
> > individuals that have accounts with them, perhaps for a fee.
>
> QR-codes in corporate and branch offices would probably be fine, but
> anywhere else, I think they are risky in some places as humans cannot
> readily distinguish the meaning of a QR code. So in the case of a QR
> code printed on company letterhead, what's to prevent a phisher to
> send a fake mailing with *their* QR code. Sure, there's the mailing
> cost, but is that enough to make things like this not profitable for
> phishers?
It's far more expensive than a flood of phishing e-mails and it requires physical \
presence and activity in country that can lead to prosecution. And if QRcodes are on \
every mailing, the likelihood that a victim will select the phisher's document to \
scan is small.
> What about placing stickers of there QR codes over the company
> QR codes on ATM machines? That might work for a phisher.
Banks could use locked frames to display the QRcode in unattended locations. Also \
remember that ATMs are often under video surveillance and banks have an interest in \
prosecuting fraudsters. It might even be possible to display the QRcode on the ATM \
screen itself. I think there is enough screen resolution on newer ones for a \
verification code at least.
>
> I know that various hacker lists have already discussed this as a possibility
> with substituting official QR codes on signage with ones that redirect
> users scanning them to URLs that will download malware, so this thought
> is not exactly new.
There will be some need for care in doing this, but direct verification of \
certificates from material supplied by the owner makes a lot more sense that indirect \
verification by any one of several hundred "trusted" third parties scattered across \
the globe.
Arnold Reinhold
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic