W3C home > Mailing lists > Public > public-web-security@w3.org > December 2013

Trusted Web GUI - At a X-road

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 01 Dec 2013 17:40:04 +0100
Message-ID: <529B6664.90208@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Trusted Web GUIs are intended letting users submit data and be sure that it reaches the proper party.

In some cases it is "only" about trusting and recognizing the site you are visiting which I'm not going to elaborate on here because the use-case most people think about are things like payments where anything from evil merchants to phishers try to trick the user in doing another transaction than they wanted.

Hardware/TEE Scheme
====================
Currently the only product I'm aware of claiming such a feature is IPT from Intel:
https://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display

GlobalPlatform seems to have adopted this concept as well:
http://www.globalplatform.org/mediapressview.asp?id=1029

Although feel free disagreeing (this posting is just for bringing the subject on the table so to say), I'm rather skeptical about the IPT/GP approach to Trusted GUIs for several reasons:
1. The users that are the most likely victims of GUI spoofing/phishing attacks probably won't observe the security indicator
2. It is a very intrusive and rigid solution compared to the rest of the web platform.

Are there alternatives to TEE (Trusted Execution) systems "hijacking" the I/O system?  Yes, indeed!

Reusing Web Technology
======================

The primarily alternative to (at any cost) protecting a PIN from spoofing is rather making a stolen PIN (cyber-wise) "useless" by only letting trusted software actually unlock keys.

One approach which Mozilla reportedly is toying with is supplying a set of "Trusted URLs" with the browser.

I have come up with a variation on the former which is based on a souped-up version of WebCrypto where the domain-concept behind SOP has been augmented with virtual domains using cryptographic bindings between trusted software and their legitimate resources.  It unfortunately requires deep cuts in client platforms and issuing systems, but I'm currently developing such a system anyway since it appears to be a highly scalable way doing what the payment industry haven't managed in 15 years: making chip-card payments work equally well (convenience + security) on the web as in a shop or ATM.  That the very same platform can also support a gazillion of other applications including the possible "resurrection" of Microsoft's excellent InformationCard scheme makes it even more exciting although there are literally tons of work ahead...

Maybe there are other ways to Rome?  Bring'em on!

Anders
Received on Sunday, 1 December 2013 16:40:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC