Saphe security assumptions

These are the security assumptions on which the Saphe solution relies:

  • The would-be Phisher is able to see and change any data sent between the user and the real server. The solution must work under this assumption to supply complete protection – any piece of data sent or received may have been altered in any step of the way
  • The passwords shared by the real server and its users adhere to a strict policy that makes sure they cannot be easily enumerated. This depends on both the user and the real server, and is by itself a major security issue
  • AES (Rijndael) with a 128-bit encryption key is a cryptographically-strong encryption algorithm, that cannot be broken using an existing attack other than brute force
  • SSL version 3.0 and above is a protocol that can withstand any form of man-in-the-middle attacks. It is assumed that it is supported and enabled by default in any browser, and that the default encryption algorithm uses keys of at least 128 bits
  • SSL automatically identifies and authenticates the web server it attempts to connect using a signed digital certificate. If the domain name of the certificate does not match the domain of the requested URL or if the certificate is flawed, the user will be cautioned not to continue. Therefore, when an SSL connection is successfully established, it can be assumed that the received data has not been altered, and that the connection was indeed established with the entity who's domain is the same as the one requested (however, note that the URL requested by the browser is not always the desired one…)
  • Any of the root certificate authorities will not sign a certificate for an existing domain name unless the request was submitted by the legitimate owner of the domain. It is assumed that adequate precautions are taken by the root CAs to authenticate the requester
  • Servers that store sensitive information will always use SSLv3.0 and above during the user-authentication phase
  • SSLv3.0 and above exists in any web browser, and is enabled by default
  • The operating system (of both the client and the server) can supply a strong Random Generator that cannot be predicted
  • Executable code on the user's machine is more powerful than any web-based code, and can therefore create visual (and other) effects that cannot be mimicked by fraudulent servers that attempt to bypass the Saphe plugin protection
  • It is reasonable to expect the average user to discern if the Saphe visual effects are missing, and never give his password unless through the Saphe plugin
  • It is reasonable to expect the average user to heed his browser's visible warnings when a web-site's certificate is not valid
Bad certificate

Back to the Saphe solution page

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License