W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: Authentium

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Mon, 30 Jul 2007 19:09:40 -0400
Message-ID: <46AE6FB4.9040007@cs.cmu.edu>
To: michael.mccormick@wellsfargo.com
CC: beltzner@mozilla.com, dan.schutzer@fstc.org, tlr@w3.org, public-wsc-wg@w3.org

Yes.  Obviously this only addresses the theft of bank credentials. 
However, these are currently the most prevalent scams (anecdotally).

serge

michael.mccormick@wellsfargo.com wrote:
> Phishers don't have to connect to bank web sites to profit.  They can
> collect credit card numbers to commit merchant fraud, SSNs to commit
> identity theft, etc.  But you're right - this could theoretically make
> the bank id/password a less juicy piece of information, and that would
> be a big step in the right direction.
> 
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
> Sent: Monday, July 30, 2007 5:49 PM
> To: McCormick, Mike
> Cc: beltzner@mozilla.com; dan.schutzer@fstc.org; tlr@w3.org;
> public-wsc-wg@w3.org
> Subject: Re: Authentium
> 
> Right, but then what does the phisher do with that information?
> 
> If we're relying on custom software to do this, and using some sort of
> hashing, it's feasible to construct a system such that if the user
> visits a phishing site, the information is useless to the phisher.
> 
> serge
> 
> michael.mccormick@wellsfargo.com wrote:
>> I think the issue you raised earlier Serge would remain a problem even
> 
>> if banks only allowed a secure browser on their sites.  Because the 
>> phisher's email doesn't link to the bank's web site, it links to his 
>> site.
>>
>> -----Original Message-----
>> From: Serge Egelman [mailto:egelman@cs.cmu.edu]
>> Sent: Monday, July 30, 2007 5:36 PM
>> To: Mike Beltzner
>> Cc: McCormick, Mike; dan.schutzer@fstc.org; tlr@w3.org; 
>> public-wsc-wg@w3.org
>> Subject: Re: Authentium
>>
>> Yeah, I think we are saying the same thing.
>>
>> And sure, if banks only allowed this app to login to their site, the 
>> problem would be largely solved.  But wait, it's already been solved 
>> if we work under that assumption.  There's a plethora of fancy schemes
> 
>> presented at security conferences that solve phishing.  However, no 
>> one uses them because 1) they require training, and 2) you lose the 
>> ability to check your accounts from other computers.
>>
>> serge
>>
>> Mike Beltzner wrote:
>>> That's a fair point. I guess I was hoping that we could convince the 
>>> organizations that wanted a safe browsing mode to require the use of 
>>> their own client app for a login that does anything significant, with
> 
>>> that password hashed or whatnot. Though that does destroy the 
>>> universal access aspect of a lot of online applications.
>>>
>>> I'm not sure, though, that Safe Browsing Mode was meant to combat 
>>> phishing as opposed to providing an opt-in mechanism for users to 
>>> ensure that they're using a secure connection. I don't see, for 
>>> instance, how a safe browsing mode defeats the spear-phish, either.
>>>
>>> Maybe you're saying the same thing. :)
>>>
>>> cheers,
>>> mike
>>>
>>> On 30-Jul-07, at 5:04 PM, Serge Egelman wrote:
>>>
>>>> While that's certainly a better idea than the original proposal, the
> 
>>>> question still remains: when a user does receive that message from 
>>>> "their bank," will they still click on it and be fooled by whatever 
>>>> opens in their web browser?  All the current literature out there 
>>>> says yes.
>>>>
>>>> serge
>>>>
>>>> Mike Beltzner wrote:
>>>>> I think that fails as it creates an idea of a private web. I'm all 
>>>>> for single-web-app-specific browsers (note: at an implementation 
>>>>> level, these can actually be very small config files which just 
>>>>> restrict a loaded instance of a browser) distributed by the party 
>>>>> with the trust relationship between the user, should be used as a 
>>>>> way of creating a reliable and private communication path. No URL 
>>>>> bar, no loading clicks from email, the message becomes "Get the 
>>>>> WhateverBank Home Banking Tool and manage your money!"
>>>>>
>>>>> cheers,
>>>>> mike
>>>>>
>>>>> On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:
>>>>>
>>>>>> The line is blurry at best.  The browser I saw demo'd came 
>>>>>> pre-loaded with shortcuts for about 30 popular web sites.  It's 
>>>>>> not
>>>>>> specific to one site (although it can be packaged that way).  So 
>>>>>> to
>>>>>> me it seems similar to SBM which also would come with a restricted
> 
>>>>>> list of trusted web sites.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Mike Beltzner [mailto:beltzner@mozilla.com]
>>>>>> Sent: Monday, July 30, 2007 2:53 PM
>>>>>> To: Dan Schutzer
>>>>>> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
>>>>>> Subject: Re: Authentium
>>>>>>
>>>>>> To be clear, I don't think this is "secure web browsing". I think 
>>>>>> this is a "Some Bank's Home Banking Application" that happens to, 
>>>>>> under the covers, use the protocols and technologies that we call
>> "the web".
>>>>>> cheers,
>>>>>> mike
>>>>>>
>>>>>> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>>>>>>
>>>>>>> I agree that there are a number of vendors, and that the idea of 
>>>>>>> talking Secure Web Browsing is that we can scale it up and get 
>>>>>>> the
>>>>>>> mainstream vendors Mozilla, Microsoft etc supporting it. I think 
>>>>>>> the timing might be right to start talking seriously as to how we
> 
>>>>>>> can all work together to make this happen; launch some joint 
>>>>>>> W3C/FSTC follow-on to the WSC.
>>>>>>>
>>>>>>> Dan Schutzer
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg- 
>>>>>>> request@w3.org] On Behalf Of Mike Beltzner
>>>>>>> Sent: Monday, July 30, 2007 2:56 PM
>>>>>>> To: Thomas Roessler
>>>>>>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>>>>>>> Subject: Re: Authentium
>>>>>>>
>>>>>>>
>>>>>>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set 
>>>>>>> of binaries called "WebRunner" which is meant to make it easier 
>>>>>>> to
>>>>>>> produce a HTML client that talks to a single web-application. He 
>>>>>>> hasn't done any work vis-a-vis locking it down from a security 
>>>>>>> perspective, but we could talk to him about adding that to his 
>>>>>>> working list of requirements.
>>>>>>>
>>>>>>> I think there's some value into looking at organizations creating
> 
>>>>>>> and distributing website specific apps, and it fits into a model 
>>>>>>> of "web- backed widgetry" which is popular on mobile devices.
>>>>>>>
>>>>>>> cheers,
>>>>>>> mike
>>>>>>>
>>>>>>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>>>>>>
>>>>>>>> (Cutting the CC list down)
>>>>>>>>
>>>>>>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com
>> wrote:
>>>>>>>>> There are emerging vendors who offer a hardened web browser 
>>>>>>>>> that
>>>>>>>>> only allows the user to access certain pre-vetted web sites.  
>>>>>>>>> The one I saw demo'd today is based on the Mozilla code base.  
>>>>>>>>> The UI looks like a stripped-down Firefox.  While it's running 
>>>>>>>>> all other Windows programs (inc. any key loggers or other
>>>>>>>>> malware) are more or less suspended.  Only SSL communication is
> 
>>>>>>>>> allowed.  The browser also uses a private DNS server to avoid 
>>>>>>>>> DNS poisoning and a signed URL list to avoid bookmark
> poisoning.
>>>>>>>> I wonder how scalable this actually is, and how much it'll be
>> used.
>>>>>>>> I've seen similar approaches demonstrated where the banking 
>>>>>>>> platform was launched from a read-only Linux distribution (on 
>>>>>>>> CD), to defend against any possible malware infestation.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>> --/*
>>>> Serge Egelman
>>>>
>>>> PhD Candidate
>>>> Vice President for External Affairs, Graduate Student Assembly 
>>>> Carnegie Mellon University
>>>>
>>>> Legislative Concerns Chair
>>>> National Association of Graduate-Professional Students */
>> --
>> /*
>> PhD Candidate
>> Vice President for External Affairs, Graduate Student Assembly 
>> Carnegie Mellon University
>>
>> Legislative Concerns Chair
>> National Association of Graduate-Professional Students */
>>
>>
>>
> 
> --
> /*
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly Carnegie
> Mellon University
> 
> Legislative Concerns Chair
> National Association of Graduate-Professional Students */
> 
> 
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Monday, 30 July 2007 23:10:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT