Re: Yahoo's new tool for anti-phishing from Dick Hardt on 2006-09-13 (public-usable-authentication@w3.org from September 2006)

From: Dick Hardt <dick@sxip.com>
Date: Wed, 13 Sep 2006 11:35:41 -0700
To: Naveen Agarwal <nagarwal@yahoo-inc.com>
Cc: <sidners@aciworldwide.com>, <public-usable-authentication@w3.org>
Message-Id: <2D79FE29-2F5B-474A-9D52-3FD7347D03DA@sxip.com>

What stops a site from making a copy of the seal and displaying it?

-- Dick

On 12-Sep-06, at 11:32 PM, Naveen Agarwal wrote:

> Yes. The cookies are issued in login.yahoo.com domain and have  
> information that can be used to create a short lived link to their  
> sign-in seal. So even if someone has somehow found the URL of the  
> seal, it is only valid for a minute.
> No other sites should be able to get cookies unless there is  
> malware/spyware on the machine and in that case as we all know  
> pretty much all bets are off.
>
> Thanks
>
> Naveen
>
> From: sidners@aciworldwide.com [mailto:sidners@aciworldwide.com]
> Sent: Monday, September 11, 2006 3:06 PM
> To: Naveen Agarwal
> Cc: public-usable-authentication@w3.org; public-usable- 
> authentication-request@w3.org; 'Thomas Roessler'
> Subject: Re: Yahoo's new tool for anti-phishing
>
>
> Naveen,
>
> Help us understand this a little further:  I assume the seal is  
> stored as a site specific cookie, tied to the yahoo.com domain.    
> Therefore only yahoo.com servers should be able to pull it up,  
> right?  Any other (phishing) domain will fail, right?
>
> Thanks,
>    - Sid
>
>
>
> "Naveen Agarwal" <nagarwal@yahoo-inc.com>
> Sent by: public-usable-authentication-request@w3.org
> 11-Sep-2006 12:23 PM
>
> To
> "'Thomas Roessler'" <tlr@w3.org>, <public-usable- 
> authentication@w3.org>
> cc
> Subject
> Yahoo's new tool for anti-phishing
>
>
>
>
>
> Some of you may have already seen this. Yahoo! has implemented very  
> easy to use a sign-in seal to help users recognize a genuine Y!  
> login page. The seal is not tied to any user but to the browser/PC  
> and to set it up a user doesn't need to enter any username/password  
> either. With a personal picture it is very easy to recognize and  
> use and there are no extra steps to perform when doing a login i.e.  
> the login flow remains as simple as it is today.
>
> https://protect.login.yahoo.com/
>
> Thanks
>
> Naveen
>
>
> From: public-usable-authentication-request@w3.org [mailto:public- 
> usable-authentication-request@w3.org] On Behalf Of Mary Ellen Zurko
> Sent: Monday, September 11, 2006 9:59 AM
> To: Thomas Roessler
> Cc: public-usable-authentication@w3.org
> Subject: Re: Status Update on W3C Security Work
>
>
> This story seems timely.  If consumers are going to hold  
> institutions accountable for phishing losses, institutions are  
> going to demand an infrastructure that they reasonable use to  
> thwart phishing attacks.
>
>          Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
> http://www.theregister.co.uk/2006/09/06/ 
> boi_refunds_phishing_victims/print.html

Received on Wednesday, 13 September 2006 18:51:26 UTC