113
edits
Services/Sync/P2P Key Exchange And Rotation: Difference between revisions
Jump to navigation
Jump to search
Services/Sync/P2P Key Exchange And Rotation (view source)
Revision as of 04:02, 30 October 2015
, 30 October 2015Added targeted phising
(Fixed formatting) |
(Added targeted phising) |
||
| Line 408: | Line 408: | ||
====Honeypot==== | ====Honeypot==== | ||
An adversary could set up a sync server and invite users to join with say an offer of unlimited stage. When the user | An adversary could set up a sync server and invite users to join, with say an offer of unlimited stage. When the user creates an account the hostile sync server initialises the storage with a fictitious authorised device, thus giving the impression that the user had previously registered with the service. The user could be presented with an authcode to enter on their device this transferring a pre-generated master key, known by the server, to the newly registered device. | ||
'''Countermeasures''' | |||
TODO | TODO | ||
====Targeted Phishing==== | ====Targeted Phishing==== | ||
Similar to a honeypot, but targeted at a user that has already registered one or more devices, an adversary with control of the sync server could request the user to authorise the registration of a fictitious device, i.e. with a similar name to a device familiar to the user. If the user then enters the authcode as requested, i.e. into a web page, the master key will be transferred to the fictitious device. | |||
'''Countermeasures''' | |||
TODO | TODO | ||