LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Futile half measures!

Futile half measures!

Posted May 30, 2006 6:22 UTC (Tue) by AnswerGuy (subscriber, #1256)
In reply to: Firefox Bon Echo Alpha 3 milestone released by error27
Parent article: Firefox Bon Echo Alpha 3 milestone released

Most of the anti-phishing approaches are futile half measures.

Why don't we we build a working key management and key exchange infrastructure and really solve the problem?

For the vast majority of users today there are only two import personal applications: e-mail and browsing. Something like GPG should be integrated into the MUA and client side certs should be used with browsers. When I open an account at my bank they should offer to dump a GPG key and generate an SSL client cert for me --- putting them unto a small USB thumb drive (complimentary with every new account). Heck ... make it one of those nifty biometric fingerprint reader/thumb drives.

Now I take that home and there's a little video and info pamphlet on my USB key and some little utilities to help me install the client certs and keys around into my application. The rest of the space on the drive can used for general storage, of course.

JimD

(Log in to post comments)

Futile half measures!

Posted May 30, 2006 18:45 UTC (Tue) by MortFurd (guest, #9389) [Link]

How's this look for a secure solution to online banking:
http://www.hbci-zka.de/english/

Phishing? Not in my house. I don't use a browser to bank, so Phishing doesn't work.

GNUCash does HBCI, and Linux supports darned near all of the card readers (though not all of the card types.) The card does the encryption, but only when I give it the PIN. There are extra secure card readers (with a numeric keypad to enter the PIN) for systems where you can't trust the system so that trojan or keyreader infested systems can't be used to clean out your account. If your account is empty, you sure by gosh did it yourself.

Secure, public/private key encryption (RSA,) an open standard, supported by open software - and used by over 2000 banks. What more could you want? Just one thing:
For banks in other countries to get up off of their duffs and do something right.*

*PS: The german banks are currently in the process of weakening HBCI to allow crappy software and lazy users to use the insecure PIN/TAN system again. Not gonna happen here. I'm sticking with my card and GNUCash.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.