W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Secure Chrome

From: James A. Donald <jamesd@echeque.com>
Date: Tue, 13 Jun 2006 09:53:57 +1000
Message-ID: <448DFE95.4000701@echeque.com>
To: public-usable-authentication@w3.org

George Staikos wrote:
 > I've seen some tactics in a few places where some sort
 > of information well-known only to the user was placed
 > in the chrome.  While it did require the user to
 > actively look at the chrome to make sure the
 > information was valid, the information was not
 > spoofable since it was impossible for a site to know
 > what that information was (barring any security hole
 > in the browser implementation). Imagine a browser that
 > had, in the tool/menu bar, "This is Phillip's
 > browser." and a mini-picture of Phill's car.

User does not look at routine chrome.  Does not look at
irrelevant information.

We have to make the login page special in an obvious and
dramatic way - and not make all the other pages special,
because then it just turns into noise and the user tunes
it out - so login and account creation has to be part of
the browser, not a web page.  In Microsoft's Identity
Metasystem, they are making it part of the operating
system (their instinctive reaction to every issue to
make it part of the operating system, which in the long
run leads to more operating system holes, but still that
is better than login and account creation being part of
the web page.)

          James A. Donald
Received on Tuesday, 13 June 2006 15:04:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC