[FoRK] Poisoned DNS and informal certificates

[silky]

On Feb 19, 2008 11:28 AM, Russell Turpin <deafbox at hotmail.com> wrote:
>
>
> When I signed up for online banking with my credit union, they had me select
> an image. That image is displayed on the page that solicits my password,
> after I give my account name. The site cautions if I don't see the chosen
> picture, I shouldn't proceed. This obviously gives some security against a
> fake site as phishers use. But also against a fake site reached by DNS
> poisoning. It is, in some sense, an informal certificate, one that I selected
> and now tied into my visual memory.
>
> If I recall correctly, the sign up process did this in a fairly sophisticated
> manner. If the image set it uses is large, or changes every month, it might
> well be that every account holder gets their own unique image. That would
> make it a good deal more difficult to set up a fake site.

In absolutely no way is this useful or secure or even to any real
degree of "difficulty" difficult.

The fake site can trivially request the image from the real bank
server itself, and then display it back to you (you must, of course,
provider your username before getting to this page. So all the faker
must do is pass this request on).

-- 
http://lets.coozi.com.au/

A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?