W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

RE: Authentium

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 30 Jul 2007 18:02:51 -0500
Message-ID: <8A794A6D6932D146B2949441ECFC9D68040AA372@msgswbmnmsp17.wellsfargo.com>
To: <egelman@cs.cmu.edu>
Cc: <beltzner@mozilla.com>, <dan.schutzer@fstc.org>, <tlr@w3.org>, <public-wsc-wg@w3.org>

Phishers don't have to connect to bank web sites to profit.  They can
collect credit card numbers to commit merchant fraud, SSNs to commit
identity theft, etc.  But you're right - this could theoretically make
the bank id/password a less juicy piece of information, and that would
be a big step in the right direction.

-----Original Message-----
From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
Sent: Monday, July 30, 2007 5:49 PM
To: McCormick, Mike
Cc: beltzner@mozilla.com; dan.schutzer@fstc.org; tlr@w3.org;
public-wsc-wg@w3.org
Subject: Re: Authentium

Right, but then what does the phisher do with that information?

If we're relying on custom software to do this, and using some sort of
hashing, it's feasible to construct a system such that if the user
visits a phishing site, the information is useless to the phisher.

serge

michael.mccormick@wellsfargo.com wrote:
> I think the issue you raised earlier Serge would remain a problem even

> if banks only allowed a secure browser on their sites.  Because the 
> phisher's email doesn't link to the bank's web site, it links to his 
> site.
> 
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu]
> Sent: Monday, July 30, 2007 5:36 PM
> To: Mike Beltzner
> Cc: McCormick, Mike; dan.schutzer@fstc.org; tlr@w3.org; 
> public-wsc-wg@w3.org
> Subject: Re: Authentium
> 
> Yeah, I think we are saying the same thing.
> 
> And sure, if banks only allowed this app to login to their site, the 
> problem would be largely solved.  But wait, it's already been solved 
> if we work under that assumption.  There's a plethora of fancy schemes

> presented at security conferences that solve phishing.  However, no 
> one uses them because 1) they require training, and 2) you lose the 
> ability to check your accounts from other computers.
> 
> serge
> 
> Mike Beltzner wrote:
>> That's a fair point. I guess I was hoping that we could convince the 
>> organizations that wanted a safe browsing mode to require the use of 
>> their own client app for a login that does anything significant, with

>> that password hashed or whatnot. Though that does destroy the 
>> universal access aspect of a lot of online applications.
>>
>> I'm not sure, though, that Safe Browsing Mode was meant to combat 
>> phishing as opposed to providing an opt-in mechanism for users to 
>> ensure that they're using a secure connection. I don't see, for 
>> instance, how a safe browsing mode defeats the spear-phish, either.
>>
>> Maybe you're saying the same thing. :)
>>
>> cheers,
>> mike
>>
>> On 30-Jul-07, at 5:04 PM, Serge Egelman wrote:
>>
>>> While that's certainly a better idea than the original proposal, the

>>> question still remains: when a user does receive that message from 
>>> "their bank," will they still click on it and be fooled by whatever 
>>> opens in their web browser?  All the current literature out there 
>>> says yes.
>>>
>>> serge
>>>
>>> Mike Beltzner wrote:
>>>> I think that fails as it creates an idea of a private web. I'm all 
>>>> for single-web-app-specific browsers (note: at an implementation 
>>>> level, these can actually be very small config files which just 
>>>> restrict a loaded instance of a browser) distributed by the party 
>>>> with the trust relationship between the user, should be used as a 
>>>> way of creating a reliable and private communication path. No URL 
>>>> bar, no loading clicks from email, the message becomes "Get the 
>>>> WhateverBank Home Banking Tool and manage your money!"
>>>>
>>>> cheers,
>>>> mike
>>>>
>>>> On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:
>>>>
>>>>> The line is blurry at best.  The browser I saw demo'd came 
>>>>> pre-loaded with shortcuts for about 30 popular web sites.  It's 
>>>>> not
> 
>>>>> specific to one site (although it can be packaged that way).  So 
>>>>> to
> 
>>>>> me it seems similar to SBM which also would come with a restricted

>>>>> list of trusted web sites.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Mike Beltzner [mailto:beltzner@mozilla.com]
>>>>> Sent: Monday, July 30, 2007 2:53 PM
>>>>> To: Dan Schutzer
>>>>> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
>>>>> Subject: Re: Authentium
>>>>>
>>>>> To be clear, I don't think this is "secure web browsing". I think 
>>>>> this is a "Some Bank's Home Banking Application" that happens to, 
>>>>> under the covers, use the protocols and technologies that we call
> "the web".
>>>>> cheers,
>>>>> mike
>>>>>
>>>>> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>>>>>
>>>>>> I agree that there are a number of vendors, and that the idea of 
>>>>>> talking Secure Web Browsing is that we can scale it up and get 
>>>>>> the
> 
>>>>>> mainstream vendors Mozilla, Microsoft etc supporting it. I think 
>>>>>> the timing might be right to start talking seriously as to how we

>>>>>> can all work together to make this happen; launch some joint 
>>>>>> W3C/FSTC follow-on to the WSC.
>>>>>>
>>>>>> Dan Schutzer
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg- 
>>>>>> request@w3.org] On Behalf Of Mike Beltzner
>>>>>> Sent: Monday, July 30, 2007 2:56 PM
>>>>>> To: Thomas Roessler
>>>>>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>>>>>> Subject: Re: Authentium
>>>>>>
>>>>>>
>>>>>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set 
>>>>>> of binaries called "WebRunner" which is meant to make it easier 
>>>>>> to
> 
>>>>>> produce a HTML client that talks to a single web-application. He 
>>>>>> hasn't done any work vis-a-vis locking it down from a security 
>>>>>> perspective, but we could talk to him about adding that to his 
>>>>>> working list of requirements.
>>>>>>
>>>>>> I think there's some value into looking at organizations creating

>>>>>> and distributing website specific apps, and it fits into a model 
>>>>>> of "web- backed widgetry" which is popular on mobile devices.
>>>>>>
>>>>>> cheers,
>>>>>> mike
>>>>>>
>>>>>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>>>>>
>>>>>>> (Cutting the CC list down)
>>>>>>>
>>>>>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com
> wrote:
>>>>>>>> There are emerging vendors who offer a hardened web browser 
>>>>>>>> that
> 
>>>>>>>> only allows the user to access certain pre-vetted web sites.  
>>>>>>>> The one I saw demo'd today is based on the Mozilla code base.  
>>>>>>>> The UI looks like a stripped-down Firefox.  While it's running 
>>>>>>>> all other Windows programs (inc. any key loggers or other
>>>>>>>> malware) are more or less suspended.  Only SSL communication is

>>>>>>>> allowed.  The browser also uses a private DNS server to avoid 
>>>>>>>> DNS poisoning and a signed URL list to avoid bookmark
poisoning.
>>>>>>> I wonder how scalable this actually is, and how much it'll be
> used.
>>>>>>> I've seen similar approaches demonstrated where the banking 
>>>>>>> platform was launched from a read-only Linux distribution (on 
>>>>>>> CD), to defend against any possible malware infestation.
>>>>>>>
>>>>>>> Regards,
>>>>>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>> --/*
>>> Serge Egelman
>>>
>>> PhD Candidate
>>> Vice President for External Affairs, Graduate Student Assembly 
>>> Carnegie Mellon University
>>>
>>> Legislative Concerns Chair
>>> National Association of Graduate-Professional Students */
> 
> --
> /*
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly 
> Carnegie Mellon University
> 
> Legislative Concerns Chair
> National Association of Graduate-Professional Students */
> 
> 
> 

--
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly Carnegie
Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students */
Received on Monday, 30 July 2007 23:03:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT