- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Fri, 14 Apr 2006 09:06:17 -0400
- To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-usable-authentication@w3.org>
- Message-ID: <E1FUO0L-0002lD-8G@lisa.w3.org>
Both if unalterable chrome indicated when you were in safe mode, and if we could educate customers that they are only talking to their Bank when in safe mode. They would have an indication that all is not right if they are not in safe mode. Conversely, if I put the customer in safe mode, then that eliminates lots of cross site scripting and other sorts of attacks. This may not be perfect, but it does make things more difficult. _____ From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Friday, April 14, 2006 9:00 AM To: Dan Schutzer Cc: public-usable-authentication@w3.org Subject: RE: Secure Chrome But of course a malicious web site will not go into the high risk safe mode. And a user naive enough to get easily phished is unlikely to think of doing it explicitly. Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) IBM Lotus/WPLC Security Strategy and Architecture "Dan Schutzer" <dan.schutzer@fstc.org> 04/14/2006 08:56 AM To "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com> cc <public-usable-authentication@w3.org> Subject RE: Secure Chrome One approach is to let the web site and the customer determine when they want to go into high risk safe mode transaction. _____ From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Friday, April 14, 2006 8:28 AM To: Dan Schutzer Cc: public-usable-authentication@w3.org Subject: RE: Secure Chrome Interestingly enough, the question George is asking, is whether you as a website developer are willing to design the part of your web that deals with high risk transactions to not use any active content at all. The question George isn't asking is how a browser would know that a high risk transaction was about to occur with a malicious site. I expect there to be some interesting work at SOUPS addressing this sort of question. As I mentioned at the workshop (which Danny hated to hear), some of this is still at the research phase. Which makes it hard to standardize. Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) IBM Lotus/WPLC Security Strategy and Architecture "Dan Schutzer" <dan.schutzer@fstc.org> Sent by: public-usable-authentication-request@w3.org 04/12/2006 02:50 PM To "'George Staikos'" <staikos@kde.org>, <public-usable-authentication@w3.org> cc Subject RE: Secure Chrome I think, just as the web browsing experience now allows a user to set and change various levels of security and privacy depending on the website, I would think they could be induced to allow websites and customers to select for more high risk transactions a safe browsing mode to be invoked. It is an idea whose time may have come. I as a user would welcome such modes within my control, so that when I am transacting and exchanging highly sensitive information, I can work in a more secure mode. -----Original Message----- From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of George Staikos Sent: Wednesday, April 12, 2006 1:55 PM To: public-usable-authentication@w3.org Subject: Re: Secure Chrome On Tuesday 11 April 2006 18:30, Mary Ellen Zurko wrote: > No active content at all. Zippo. No javascript. No Java. No ActiveX. > > Web browsing the way nature intended :-). > > Yes, there's a lot of things you couldn't do with such a browser. But it > has the benefit of simplicity. Do you think any website developers will ever accept such a thing? :-) I think not... -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Friday, 14 April 2006 13:06:35 UTC