Examples of why SiteKey really isn't sufficient:
http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm
http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/
(As well as the fact that it's possible for a phishing site to use the
same provided ID to ask the real site what sitekey should be shown to
the end user, effectively a man-in-the-middle attack, illustrated at
https://www.sestus.com/vt/sitekeyMITM.asp )
Some other company's solution that appears to involve users having to
store a keyfile on their machine, but it seems that would make it
impossible to log into the site from a random machine (or a mobile
device like the iphone that doesn't have an available filestore), and I
don't see what prevents those users from being duped into providing that
keyfile to a phisher.
https://www.sestus.com/vt/comparesitekey.asp
It's a hard problem, and it mostly happens *outside* your app, so good
luck solving it within your app. :-(
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
