Thursday, December 04, 2008

Turnabout

is fair play. As I often speak condescendingly to my children, hockey referees, and shop keepers, I can't rightfully complain when Ben directs it at me, in his rebuttal of my (and a plethora of others) criticism of his 'phishability' post.

Ben's argument hinges on a definition (my interpretation, he never comes right out with it) of 'unphishable' as
unphishable: a security characteristic enabled by an authentication protocol in which the password is never sent to the authentication server but presented by the user only to a secure device - the device then authenticating to the server on their behalf.

With this definition, I don't disagree (and you wont't hear me diminishing the critical importance of small mobile communication devices to security). If passwords aren't delivered over the wire (and all the other necessary 'utopian' conditions that Ben after the fact stipulates are met) then users could use the same password everywhere.

But of course, this is Ben's definition for unphishable and so perhaps we shouldn't be surprised that it works out nicely for him.

Another definition (one that it appears all of those who had an issue with the original post prefer) looks something like this

unphishable : impossible to phish, see phish.
.
.
phish: a fraudulent attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication

A phish depends on the fact that the user bears the burden of spotting the fraudulent site (notwithstanding visual cues designed to assist them). Any (mutual) authentication protocol that removes that burden from the user could warrant the unphishable descriptor (with similar utopian caveats as Ben stipulates).

This more inclusive definition does not guarantee (for some mechanisms, this would be the case) that there will be nothing on the authentication server that could be used by a insider to impersonate the user elsewhere. And so, this type of unphishable does not inevitably mean that it is appropriate to use the same credential everywhere.

No comments: