The Game of Phishing


The Idea in One Sentence

If you view the installed software component of your browser as an actor in the cryptography protocol, then the solution to phishing attacks is classic cryptography, as documented in any cryptography textbook.


Brief Description

An extension to TLS which I believe solves Phishing attacks.

 

Abstract

The current implementation of TLS involves your browser displaying a padlock, and a green bar, after successfully verifying the digital signature on the TLS certificate. Proposed is a solution where your browser's response to successful verification of a TLS certificate is to display a login window. That login window displays the identity credentials from the TLS certificate, to allow the user to authenticate Bob. It also displays a 'user-browser' shared secret i.e. a specific picture from your hard disk. This is not SiteKey, the image is shared between the computer user and their browser. It is never transmitted over the internet. Since sandboxed websites cannot access your hard disk this image cannot be counterfeited by phishing websites. Basically if you view the installed software component of your browser as an actor in the cryptography protocol, then the solution to phishing attacks is classic cryptography, as documented in any cryptography textbook.

Downloads/Links

Download Paper from International Journal on Cryptography and Information Security
 
Link to paper on arXiv
Document with some New figures. (New 27-Mar-2017)
Link to Full Screen Counterfeiting Demo (Firefox & Chrome)
Link to YouTube clip of the Full Screen Counterfeiting Demo
 
All patent rights have now been lost. This includes countries who allow patent applications within one year of publication. Any future attempt to patent this solution will fail. It is now prior art.
Notice of Loss of Rights (2 months from 10-March-2017 i.e. 10-May-2017)
Photo of Certified copy of an early attempt to patent the solution.
Links to EU patent application on EPO.org: Link 1 and Link 2 This EU patent application will expire in January, 2017. USA, Canada and other countries accept patent application up to one year after publication. In this case the original publication on arXiv constitutes publication i.e. 12 Nov 2015. Since no USA, Canadian or other applications have been made. This solution is now prior art in these jurisdictions i.e. this solution cannot now be patented by anyone in these countries. In January the European nations will follow, as this patent application expires i.e. January 25th, 2017.
Or just sesarch for Joseph Kilcullen on www.EPO.org