W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2006

Re: Yahoo's new tool for anti-phishing

From: Mike Beltzner <beltzner@mozilla.com>
Date: Wed Sep 13 19:29:59 2006
Message-ID: <1123642570-1158175789-cardhu_blackberry.rim.net-10355-@engine03-cell02>
To: "Dick Hardt" <dick@sxip.com>, "Naveen Agarwal" <nagarwal@yahoo-inc.com>
Cc: sidners@aciworldwide.com, public-usable-authentication@w3.org
As I understand things, the seal is generatred based on settings stored in a client side cookie. The user can choose from a fairly large number of looks and images and colours and text, so while a site could spoof a seal, it'd be hard to get right without stealing that cookie, which browsers usually prevent. 

Again, that's aiui :)


-----Original Message-----
From: Dick Hardt <dick@sxip.com>
Date: Wed, 13 Sep 2006 11:35:41 
To:Naveen Agarwal <nagarwal@yahoo-inc.com>
Cc:<sidners@aciworldwide.com>, <public-usable-authentication@w3.org>
Subject: Re: Yahoo's new tool for anti-phishing

What stops a site from making a copy of the seal and displaying it?

-- Dick

On 12-Sep-06, at 11:32 PM, Naveen Agarwal wrote:

> Yes. The cookies are issued in login.yahoo.com domain and have  
> information that can be used to create a short lived link to their  
> sign-in seal. So even if someone has somehow found the URL of the  
> seal, it is only valid for a minute.
> No other sites should be able to get cookies unless there is  
> malware/spyware on the machine and in that case as we all know  
> pretty much all bets are off.
> Thanks
> Naveen
> From: sidners@aciworldwide.com [mailto:sidners@aciworldwide.com]
> Sent: Monday, September 11, 2006 3:06 PM
> To: Naveen Agarwal
> Cc: public-usable-authentication@w3.org; public-usable- 
> authentication-request@w3.org; 'Thomas Roessler'
> Subject: Re: Yahoo's new tool for anti-phishing
> Naveen,
> Help us understand this a little further:  I assume the seal is  
> stored as a site specific cookie, tied to the yahoo.com domain.    
> Therefore only yahoo.com servers should be able to pull it up,  
> right?  Any other (phishing) domain will fail, right?
> Thanks,
>    - Sid
> "Naveen Agarwal" <nagarwal@yahoo-inc.com>
> Sent by: public-usable-authentication-request@w3.org
> 11-Sep-2006 12:23 PM
> To
> "'Thomas Roessler'" <tlr@w3.org>, <public-usable- 
> authentication@w3.org>
> cc
> Subject
> Yahoo's new tool for anti-phishing
> Some of you may have already seen this. Yahoo! has implemented very  
> easy to use a sign-in seal to help users recognize a genuine Y!  
> login page. The seal is not tied to any user but to the browser/PC  
> and to set it up a user doesn't need to enter any username/password  
> either. With a personal picture it is very easy to recognize and  
> use and there are no extra steps to perform when doing a login i.e.  
> the login flow remains as simple as it is today.
> https://protect.login.yahoo.com/

> Thanks
> Naveen
> From: public-usable-authentication-request@w3.org [mailto:public- 
> usable-authentication-request@w3.org] On Behalf Of Mary Ellen Zurko
> Sent: Monday, September 11, 2006 9:59 AM
> To: Thomas Roessler
> Cc: public-usable-authentication@w3.org
> Subject: Re: Status Update on W3C Security Work
> This story seems timely.  If consumers are going to hold  
> institutions accountable for phishing losses, institutions are  
> going to demand an infrastructure that they reasonable use to  
> thwart phishing attacks.
>          Mez
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
> http://www.theregister.co.uk/2006/09/06/ 
> boi_refunds_phishing_victims/print.html

Received on Wednesday, 13 September 2006 19:29:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC