koakuma, 2 months ago

On a much more serious note:

We're expected to give sensitive information all the time - passwords fingerprints selfies biometrics whatever - supposedly to check if we are the genuine account owner or so
On the other hand there's very little to nothing being done by the computer itself to present unforgeable authentication dialogs - even something as basic as your computer's lock screen or login screen could be faked - and what good is a security system if you're going to be duped into handing your keys anyway?

Security experts all say that you should be vigilant, etc. but it comes off to me to be not that different from dismissively ignoring concerns with the "skill issue" meme
In the end all the burden falls on the user to not be tired or having bad days or being overwhelmed or, well, you get the idea

Like sure the burden of "do I want to do X?" does fall on the user but the user should never have to think about "what if it's actually Y trying to look like X?"

wolf480pl, 2 months ago

@koakuma the key problem is that most people can't do ECDSA in their head

icedquinn, 2 months ago

@wolf480pl @koakuma http://doc.cat-v.org/plan_9/4th_edition/papers/auth we solved this problem now go club your OS vendor in to submission

wolf480pl, 2 months ago

@icedquinn @koakuma
it's a bit long, so can you point me to the chapter that talks about the user verifying that the monitor they're looking at has not been replaced with a fake one?

icedquinn, 2 months ago

@wolf480pl @koakuma evil maid is unsolvable.

we can however have all of the secrets management done through a proxy where it can indeed block the UI for authentication requests, talking to FIDO et all, instead of every program fucking it up independently.