W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: Secure Chrome and Secure MetaData (correction)

From: spam filter <spam+w3c@jeff-nelson.com>
Date: Wed, 5 Jul 2006 09:46:28 -0700
Message-ID: <a76292cb0607050946p650c055bw1f3b6623f8c6c9d5@mail.gmail.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: public-usable-authentication@w3.org

> Chris Drake wrote:
>  > The word "Chrome" is so cool that nobody wants to put
>  > it back on the shelf where it belongs!

I don't think the concept of secure chrome needs to be entirely
abandoned, just redefined.  The problem is with chrome which is static
and spoofable.  By secure chrome, we mean "unspoofable chrome".

Historical implementations assume that anything in the chrome is
trusted, since an attacker can't control the chrome.  However, the
picture in picture attack demonstrates that the chrome is spoofable,
even when its trusted.

http://guardpuppy.com/BrowserChromeIsDead.gif

We need to determine techniques which are unspoofable, such as
personalization known only to the user or OS layer features, such as
dimming the desktop.

Suppose we did have a set of techniques that proved to be effective,
what form would a standard take?  We'll have to specify something like

For personalization, I suspect the rough outline would be something like

1) User can set some personalization.
2) Personalization must be determine based on some secret known to the
user in a sufficiently large key space, eg. a large set of pictures,
visual hashes, or words.
3) Personalization must be integrated with authentication flows.
4) After authentication, personalization must be presented as proof of
mutual authentication.
5) Personalization may be presented when requesting other sensative information.
6) Personalization may be presented at any time during the session to
prove the session is not spoofed or taken over.
7) Personalization must not be retrievable or usable by third party sites.

I'm not sure if we should promote the "may" in (5) and (6) to "must".

Also, this assumes user training and recognition.  Solutions which
don't train the user to use personalization and recognizing spoofing
will remain spoofable.

Thoughts?

 - Jeff
Received on Wednesday, 5 July 2006 16:46:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT