Ok, i got it. Thanks so much for the info. 2010/9/6 Dale Newfield <d...@newfield.org>
> Examples of why SiteKey really isn't sufficient: > http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm > > http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/ > (As well as the fact that it's possible for a phishing site to use the same > provided ID to ask the real site what sitekey should be shown to the end > user, effectively a man-in-the-middle attack, illustrated at > https://www.sestus.com/vt/sitekeyMITM.asp ) > > Some other company's solution that appears to involve users having to store > a keyfile on their machine, but it seems that would make it impossible to > log into the site from a random machine (or a mobile device like the iphone > that doesn't have an available filestore), and I don't see what prevents > those users from being duped into providing that keyfile to a phisher. > https://www.sestus.com/vt/comparesitekey.asp > > It's a hard problem, and it mostly happens *outside* your app, so good luck > solving it within your app. :-( > > -Dale > -- Oscar Calderón SCJP 6 <http://javahowto.net>
