W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2006

RE: Secure Chrome

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Fri, 21 Apr 2006 12:58:51 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37A49E6C@MOU1WNEXMB04.vcorp.ad.vrsn.com>
To: "Mike Beltzner" <beltzner@mozilla.com>, "George Staikos" <staikos@kde.org>
Cc: <public-usable-authentication@w3.org>
A user is a finite state machine, the states being:

1) Not suspicious

2) Suspicious

3) Phished

4) Safe


I agree that it is pretty hard to raise an event that causes the user to
change state from Not suspicious to suspicious.

That is not the main point here. What I really want is a way to ensure that
a user who enters the state suspicious reliably ends up in the state Safe.

At the moment there is no way for the suspicious user to quickly and
effectively determine whether they are under attack or not. 

 

> -----Original Message-----
> From: public-usable-authentication-request@w3.org 
> [mailto:public-usable-authentication-request@w3.org] On 
> Behalf Of Mike Beltzner
> Sent: Friday, April 21, 2006 10:51 AM
> To: George Staikos
> Cc: public-usable-authentication@w3.org
> Subject: Re: Secure Chrome
> 
> I think your statement is true of any proposal. Users will 
> pay attention to content, not chrome, so no matter what 
> solution we come up with, users will have to be 
> taught/led/influenced to understanding the new model. 
> 
> George, what do you think secure chrome should get us, if anything?
> 
> cheers,
> mike 
> 
> -----Original Message-----
> From: George Staikos <staikos@kde.org>
> Date: Fri, 21 Apr 2006 02:21:22
> To:"Undisclosed.Recipients": ;
> Cc:public-usable-authentication@w3.org
> Subject: Re: Secure Chrome
> 
> 
> On Tuesday 18 April 2006 00:09, Mike Beltzner wrote:
> 
> > >   Do you think any website developers will ever accept such a
> > > thing? :-)  I
> > > think not...
> >
> > At the conference we briefly discussed the potential for websites to
> > prompt browsers to enter a secure mode for a given page (using some
> > sort of meta tag, maybe?). The idea being that secure mode 
> would only
> > needed at the point of web authentication or login, after 
> which point
> > the app should be free to take advantage of all sorts of bells and
> > whistles.
> 
>   I think this only works if users are trained to only enter 
> sensitive 
> information in a page that has entered secure mode.  Today in 
> Porto Alegre I 
> was trying to get onto the wifi network and I found the following:
> - one provider was using a certificate that I had no root for 
> in Firefox or 
> Konqueror
> - one provider was embedding an https frame in an http page
> - one provider was not using any https
> - at least one provider wrote "your data is secure" in the page
> 
>   I am very skeptical that we will see these sites implement 
> secure-mode, and 
> I'm also very skeptical that users won't continue to enter 
> their information 
> in a phishing site that does one of the techniques above.  
> This makes me 
> wonder how effective the solution will be in the short term.
> 
> -- 
> George Staikos
> KDE Developer				http://www.kde.org/
> Staikos Computing Services Inc.		http://www.staikos.net/
> 
> 

Received on Friday, 21 April 2006 19:59:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC