On Sat, Dec 29, 2007 at 02:09:23AM +1100, Naz Gassiep wrote:
> In the web world, it is the client's responsibility to ensure that they
> check the SSL cert and don't do their banking at
> www.bankofamerica.hax0r.ru and there is nothing that the real banking
> site can do to stop them using their malware infested PC to connect to
> the phishing site.
The above security model is exactly how we got into the mess we're in:
relying entirely on the good sense of a wide community of users is how
compromises happen. Strong authentication authenticates both ways.
For instance, the web world you describe is not the only one. Banks who
take security seriously have multiple levels of authentication, have trained
their users how to do this, and regularly provide scan tools to clients in
an attempt (IMO possibly doomed) to reduce the chances of input-device
sniffing.
A