nge-response auth system with a
key shared across origins, where an attacker can trick you into exposing
it, and effectively MitMing the challenge/response)
The reality of is its many problems meant adoption was extremely
low, so it's not surprising
;client is
duped into installing malware" attack?
--
Tony Arcieri
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
of priorities
for secure software.
--
Tony Arcieri
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
the scripts every single time you load the page,
they (or anyone with access to their servers, or anyone able to pull off an
XSS attack) could easily inject a keylogger or other mechanism for
recovering the password.
--
Tony Arcieri
___
Sent through th
facts. They're installed and updated as
granular, auditable units. Using browser plugins for crypto is much less
objectionable than "just a web page" IMO.
I've written a blog post about this, FWIW:
http://tonyarcieri.com/whats-wrong-with-webcrypto
--
Tony Arcieri
On Thu, Sep 25, 2014 at 8:55 AM, Michal Zalewski
wrote:
> In what way? It doesn't have a logo, so it's a bit better in my book.
That's where you're wrong:
https://pbs.twimg.com/media/ByVh24fCcAAy7mT.png
--
Tony Arcieri
__
