struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <>
Subject Re: Avoid Phishing in Struts Applications plugin
Date Mon, 06 Sep 2010 16:36:35 GMT
Examples of why SiteKey really isn't sufficient:
(As well as the fact that it's possible for a phishing site to use the 
same provided ID to ask the real site what sitekey should be shown to 
the end user, effectively a man-in-the-middle attack, illustrated at )

Some other company's solution that appears to involve users having to 
store a keyfile on their machine, but it seems that would make it 
impossible to log into the site from a random machine (or a mobile 
device like the iphone that doesn't have an available filestore), and I 
don't see what prevents those users from being duped into providing that 
keyfile to a phisher.

It's a hard problem, and it mostly happens *outside* your app, so good 
luck solving it within your app. :-(


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message