- From: George Staikos <staikos@kde.org>
- Date: Sun, 16 Apr 2006 14:38:22 -0400
- To: public-usable-authentication@w3.org
On Friday 14 April 2006 09:48, Jeffrey Altman wrote: > I came away with the following from the discussions I held at the > workshop: > > (1) Secure Chrome is only secure if the user is able to distinguish > the "secure" from the "insecure". > > Suggestions have included that secure chrome be displayed by > the browser whenever the browser encounters a form that contains > a password field. I think that a password field only covers a limited subset of the vulnerable types of data input, but it's a good start. > When supported by the operating system is available, whenever > the user clicks within the secure chrome the user would be > removed to a separate desktop on which the user would be displayed > information about whom the data is being sent to as extracted from > a certificate (logos, common name, url, etc), a distinguishing > identifier selected by the user (perhaps a photo), and the form > to be filled in. This really sounds over-complicated and confusing. Conceptually it's an interesting approach, but I'm not so sure that the user experience will be the greatest. > (2) Attackers must not be able to determine what the secure chrome > looks like on any particular system. There are interesting ways to do this. I'm definitely interested in exploring these. For instance, personalization of the chrome. > (3) Another thing that was discussed was a hardware indicator of the > use of secure chrome. This would require that the indicator be > protected by the operating system and that the secure chrome itself > could be triggered by the operating system. This doesn't sound like it would apply across platforms (think: PDA, phone, etc) well. [...] > I believe the use of secure chrome is a good idea, but it certainly > would not be a cure all. It would simply raise the bar for the attacks > in the case where users can be trained not to accept certificates that > are not validated. Agreed. -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Sunday, 16 April 2006 18:42:14 UTC