W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [saag] [websec] [apps-discuss] [kitten] HTTP authentication: the next generation

From: Ben Laurie <benl@google.com>
Date: Fri, 14 Jan 2011 10:00:18 +0000
Message-ID: <AANLkTi=9Uqk0bCt1k+gux6n3H9xU-br3nz5gnL6p-wdP@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: apps-discuss@ietf.org, dwm@xpasc.com, hallam@gmail.com, http-auth@ietf.org, ietf-http-wg@w3.org, kitten@ietf.org, marsh@extendedsubset.com, romeda@gmail.com, saag@ietf.org, websec@ietf.org, zedshaw@zedshaw.com
On 14 January 2011 02:24, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> Marsh Ray <marsh@extendedsubset.com> writes:
>
>>Phishing can be said to have been prevented only when the user can be relied
>>upon to refuse to enter his password into an insecure box.
>
> I think you need to phrase that more generally, "when the user can be relied
> upon to not authenticate to the wrong site", because there's more ways of
> authenticating around than just typing a string into a web form.  For example
> some password managers do site-specifc passwords, so even if you go to the
> wrong site you can't accidentally provide your credentials for the correct
> site.

That phrasing is only correct if the authentication method leaks the password...

>
>>For example, my bank asks for my username and then shows me a familiar
>>picture (e.g., a rocking horse) that is supposed to prevent phishing. This
>>stops phishing only in the sense that it requires the attacker to use a CGI
>>proxy app rather than simple static phishing site.
>
> ... or display a broken-image GIF, or a message that the award-winning
> security whatsit is being upgraded and will be back soon, or ...
>
> (this is from a real-world evaluation of the (in-)effectiveness of site
> images, I can dig up the ref if required).  Site images rate more as a
> security gimmick than any real security measure.

Exactly.
Received on Friday, 14 January 2011 10:00:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT