W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2006

RE: Yahoo's new tool for anti-phishing

From: Naveen Agarwal <nagarwal@yahoo-inc.com>
Date: Tue, 12 Sep 2006 23:32:35 -0700
To: <sidners@aciworldwide.com>
Cc: <public-usable-authentication@w3.org>
Message-ID: <02b101c6d6fe$669759b0$bdcf15ac@ds.corp.yahoo.com>
Yes. The cookies are issued in login.yahoo.com domain and have information
that can be used to create a short lived link to their sign-in seal. So even
if someone has somehow found the URL of the seal, it is only valid for a
No other sites should be able to get cookies unless there is malware/spyware
on the machine and in that case as we all know pretty much all bets are off.


From: sidners@aciworldwide.com [mailto:sidners@aciworldwide.com] 
Sent: Monday, September 11, 2006 3:06 PM
To: Naveen Agarwal
Cc: public-usable-authentication@w3.org;
public-usable-authentication-request@w3.org; 'Thomas Roessler'
Subject: Re: Yahoo's new tool for anti-phishing


Help us understand this a little further:  I assume the seal is stored as a
site specific cookie, tied to the yahoo.com domain.   Therefore only
yahoo.com servers should be able to pull it up, right?  Any other (phishing)
domain will fail, right? 

   - Sid 

"Naveen Agarwal" <nagarwal@yahoo-inc.com> 
Sent by: public-usable-authentication-request@w3.org 

11-Sep-2006 12:23 PM 

"'Thomas Roessler'" <tlr@w3.org>, <public-usable-authentication@w3.org> 


Yahoo's new tool for anti-phishing


Some of you may have already seen this. Yahoo! has implemented very easy to
use a sign-in seal to help users recognize a genuine Y! login page. The seal
is not tied to any user but to the browser/PC and to set it up a user
doesn't need to enter any username/password either. With a personal picture
it is very easy to recognize and use and there are no extra steps to perform
when doing a login i.e. the login flow remains as simple as it is today. 
 <https://protect.login.yahoo.com/> https://protect.login.yahoo.com/ 


From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen
Sent: Monday, September 11, 2006 9:59 AM
To: Thomas Roessler
Cc: public-usable-authentication@w3.org
Subject: Re: Status Update on W3C Security Work 

This story seems timely.  If consumers are going to hold institutions
accountable for phishing losses, institutions are going to demand an
infrastructure that they reasonable use to thwart phishing attacks. 


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Received on Wednesday, 13 September 2006 06:32:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC