|
|
|
|
|
|
by Aachen
1161 days ago
|
|
|
> well... a third-party server can do that verification. Sure, but your phone isn't asking said third party what the results of their verification are. It's asking Facebook. It can get hacked. It can lie. If you're looking to protect from a malicious server by protecting the key exchange better, you don't achieve that goal by asking the same party for the same information again via a different protocol and hope it answers differently. It increases attack cost because now the attacker has to fool both systems, but idk by how much honesty. The main cost will be getting into their infrastructure undetected in the first place. Sending discrepant responses to differing IP addresses seems relatively easy beyond that point. |
|
|
> It increases attack cost because now the attacker has to fool both systems, but idk by how much honesty.
That's a fair question, but it may be better than you think, right? At least it seems pretty easy to increase that cost later on if they want to (e.g. securing their audit server or by having the clients check third-party servers). The technology is here now.