W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: Authentium

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 30 Jul 2007 17:04:58 -0400
Message-ID: <46AE527A.2050309@cs.cmu.edu>
To: Mike Beltzner <beltzner@mozilla.com>
CC: michael.mccormick@wellsfargo.com, dan.schutzer@fstc.org, tlr@w3.org, public-wsc-wg@w3.org

While that's certainly a better idea than the original proposal, the
question still remains: when a user does receive that message from
"their bank," will they still click on it and be fooled by whatever
opens in their web browser?  All the current literature out there says yes.

serge

Mike Beltzner wrote:
> 
> I think that fails as it creates an idea of a private web. I'm all for
> single-web-app-specific browsers (note: at an implementation level,
> these can actually be very small config files which just restrict a
> loaded instance of a browser) distributed by the party with the trust
> relationship between the user, should be used as a way of creating a
> reliable and private communication path. No URL bar, no loading clicks
> from email, the message becomes "Get the WhateverBank Home Banking Tool
> and manage your money!"
> 
> cheers,
> mike
> 
> On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:
> 
>> The line is blurry at best.  The browser I saw demo'd came pre-loaded
>> with shortcuts for about 30 popular web sites.  It's not specific to one
>> site (although it can be packaged that way).  So to me it seems similar
>> to SBM which also would come with a restricted list of trusted web
>> sites.
>>
>> -----Original Message-----
>> From: Mike Beltzner [mailto:beltzner@mozilla.com]
>> Sent: Monday, July 30, 2007 2:53 PM
>> To: Dan Schutzer
>> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
>> Subject: Re: Authentium
>>
>> To be clear, I don't think this is "secure web browsing". I think this
>> is a "Some Bank's Home Banking Application" that happens to, under the
>> covers, use the protocols and technologies that we call "the web".
>>
>> cheers,
>> mike
>>
>> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>>
>>> I agree that there are a number of vendors, and that the idea of
>>> talking Secure Web Browsing is that we can scale it up and get the
>>> mainstream vendors Mozilla, Microsoft etc supporting it. I think the
>>> timing might be right to start talking seriously as to how we can all
>>> work together to make this happen; launch some joint W3C/FSTC
>>> follow-on to the WSC.
>>>
>>> Dan Schutzer
>>>
>>> -----Original Message-----
>>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-
>>> request@w3.org] On Behalf Of Mike Beltzner
>>> Sent: Monday, July 30, 2007 2:56 PM
>>> To: Thomas Roessler
>>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>>> Subject: Re: Authentium
>>>
>>>
>>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set of
>>> binaries called "WebRunner" which is meant to make it easier to
>>> produce a HTML client that talks to a single web-application. He
>>> hasn't done any work vis-a-vis locking it down from a security
>>> perspective, but we could talk to him about adding that to his
>>> working list of requirements.
>>>
>>> I think there's some value into looking at organizations creating and
>>> distributing website specific apps, and it fits into a model of "web-
>>> backed widgetry" which is popular on mobile devices.
>>>
>>> cheers,
>>> mike
>>>
>>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>>
>>>>
>>>> (Cutting the CC list down)
>>>>
>>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com wrote:
>>>>
>>>>> There are emerging vendors who offer a hardened web browser that
>>>>> only allows the user to access certain pre-vetted web sites.  The
>>>>> one I saw demo'd today is based on the Mozilla code base.  The UI
>>>>> looks like a stripped-down Firefox.  While it's running all other
>>>>> Windows programs (inc. any key loggers or other malware) are more
>>>>> or less suspended.  Only SSL communication is allowed.  The
>>>>> browser also uses a private DNS server to avoid DNS poisoning and
>>>>> a signed URL list to avoid bookmark poisoning.
>>>>
>>>> I wonder how scalable this actually is, and how much it'll be used.
>>>> I've seen similar approaches demonstrated where the banking platform
>>>> was launched from a read-only Linux distribution (on CD), to defend
>>>> against any possible malware infestation.
>>>>
>>>> Regards,
>>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Monday, 30 July 2007 21:05:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT