W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: Authentium

From: Mike Beltzner <beltzner@mozilla.com>
Date: Mon, 30 Jul 2007 16:53:32 -0400
Message-Id: <DE51B1B9-6149-4146-8FCF-C6974D7D7279@mozilla.com>
Cc: <dan.schutzer@fstc.org>, <tlr@w3.org>, <public-wsc-wg@w3.org>
To: <michael.mccormick@wellsfargo.com>

I think that fails as it creates an idea of a private web. I'm all  
for single-web-app-specific browsers (note: at an implementation  
level, these can actually be very small config files which just  
restrict a loaded instance of a browser) distributed by the party  
with the trust relationship between the user, should be used as a way  
of creating a reliable and private communication path. No URL bar, no  
loading clicks from email, the message becomes "Get the WhateverBank  
Home Banking Tool and manage your money!"

cheers,
mike

On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:

> The line is blurry at best.  The browser I saw demo'd came pre-loaded
> with shortcuts for about 30 popular web sites.  It's not specific  
> to one
> site (although it can be packaged that way).  So to me it seems  
> similar
> to SBM which also would come with a restricted list of trusted web
> sites.
>
> -----Original Message-----
> From: Mike Beltzner [mailto:beltzner@mozilla.com]
> Sent: Monday, July 30, 2007 2:53 PM
> To: Dan Schutzer
> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
> Subject: Re: Authentium
>
> To be clear, I don't think this is "secure web browsing". I think this
> is a "Some Bank's Home Banking Application" that happens to, under the
> covers, use the protocols and technologies that we call "the web".
>
> cheers,
> mike
>
> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>
>> I agree that there are a number of vendors, and that the idea of
>> talking Secure Web Browsing is that we can scale it up and get the
>> mainstream vendors Mozilla, Microsoft etc supporting it. I think the
>> timing might be right to start talking seriously as to how we can all
>> work together to make this happen; launch some joint W3C/FSTC
>> follow-on to the WSC.
>>
>> Dan Schutzer
>>
>> -----Original Message-----
>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-
>> request@w3.org] On Behalf Of Mike Beltzner
>> Sent: Monday, July 30, 2007 2:56 PM
>> To: Thomas Roessler
>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>> Subject: Re: Authentium
>>
>>
>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set of
>> binaries called "WebRunner" which is meant to make it easier to
>> produce a HTML client that talks to a single web-application. He
>> hasn't done any work vis-a-vis locking it down from a security
>> perspective, but we could talk to him about adding that to his
>> working list of requirements.
>>
>> I think there's some value into looking at organizations creating and
>> distributing website specific apps, and it fits into a model of "web-
>> backed widgetry" which is popular on mobile devices.
>>
>> cheers,
>> mike
>>
>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>
>>>
>>> (Cutting the CC list down)
>>>
>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com  
>>> wrote:
>>>
>>>> There are emerging vendors who offer a hardened web browser that
>>>> only allows the user to access certain pre-vetted web sites.  The
>>>> one I saw demo'd today is based on the Mozilla code base.  The UI
>>>> looks like a stripped-down Firefox.  While it's running all other
>>>> Windows programs (inc. any key loggers or other malware) are more
>>>> or less suspended.  Only SSL communication is allowed.  The
>>>> browser also uses a private DNS server to avoid DNS poisoning and
>>>> a signed URL list to avoid bookmark poisoning.
>>>
>>> I wonder how scalable this actually is, and how much it'll be used.
>>> I've seen similar approaches demonstrated where the banking platform
>>> was launched from a read-only Linux distribution (on CD), to defend
>>> against any possible malware infestation.
>>>
>>> Regards,
>>> -- 
>>> Thomas Roessler, W3C  <tlr@w3.org>
>>>
>>
>>
>>
>>
>
>
>
Received on Monday, 30 July 2007 20:53:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT