nge-response auth system with a
key shared across origins, where an attacker can trick you into exposing
it, and effectively MitMing the challenge/response)
The reality of is its many problems meant adoption was extremely
low, so it's not surprising
On Thu, Sep 25, 2014 at 8:55 AM, Michal Zalewski
wrote:
> In what way? It doesn't have a logo, so it's a bit better in my book.
That's where you're wrong:
https://pbs.twimg.com/media/ByVh24fCcAAy7mT.png
--
Tony Arcieri
__
facts. They're installed and updated as
granular, auditable units. Using browser plugins for crypto is much less
objectionable than "just a web page" IMO.
I've written a blog post about this, FWIW:
http://tonyarcieri.com/whats-wrong-with-webcrypto
--
Tony Arcieri
the scripts every single time you load the page,
they (or anyone with access to their servers, or anyone able to pull off an
XSS attack) could easily inject a keylogger or other mechanism for
recovering the password.
--
Tony Arcieri
___
Sent through th
of priorities
for secure software.
--
Tony Arcieri
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
;client is
duped into installing malware" attack?
--
Tony Arcieri
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
