- From: Chris Drake <christopher@pobox.com>
- Date: Tue, 13 Jun 2006 00:41:09 +1000
- To: public-usable-authentication@w3.org
Hi Amir, Either you didn't look at googles demo, or you just got tricked by that spoof web site? http://guardpuppy.com/BrowserChromeIsDead.gif There is no browser window or popup of any kind shown in the above picture. It's a <DIV>. It could just as easily be an <IMG> with a <form> overlaying it via CSS. Here's another way to imagine it if you're still confused. A) Visit PayPal.com B) Re-Size your browser window to 50% of your desktop C) Hit Alt-Printscreen D) Open MS-Paint, paste in the screenshot, and save the image to a file - pp.gif E) upload the picture to www.evilwebsite.com F) in any page on that site, insert <img src="pp.gif"> G) add some CSS to float the image over whatever content evilwebsite.com already displays, and some <form> elements to float over the image, and you've got an attack that is 100% pixel-perfect AND 100% workflow perfect of the legitimate original PayPal web site - including the https:// address bar and INCLUDING the popup certificate (another floating img) when users click the padlock. Not a single professional in the world would be able to distinguish the above fake from the real site without significant effort - and no amount of shared-secretless or stateless browser chrome can prevent it. Monday, June 12, 2006, 11:36:17 PM, Amir Herzberg wrote: >Would it help to make a more `permanent` kind of (limited) cookie? Client certificates work in all browsers AFAIK. Microsoft browsers also have userdata persistence, which offer additional persistent identifiers (also SSL protected like secure cookies) that are really easy to use. There's some other interesting (re-)identifying tricks that work on all browsers without using cookies too. A properly constructed identity service could allow users to tell it what's an acceptable way to re-identify - people with static IPs being given that as an option on top of persistence and/or cookies and/or other identifying tricks or services. Monday, June 12, 2006, 11:46:43 PM, Frederick Hirsch wrote: >(in this case open source seems to enable a modification/replacement > attack on the entire browser implementation itself) It doesn't have to be an attack on the entire browser - even just a browser toolbar or addin is sufficient. everyone who's installed any of these new-fangled toolbar things has granted permission to the authors to do anything they want with every web page you visit - SSL or not - including reading and changing all contents, recording anything they want (including passwords, credit card numbers, anything), permanently tracking you regardless of your cookies and privacy settings, and granting the authors permission to automatically add or remove any functionality they want anytime in the future (not to mention the chances of allowing hackers to take control of your browser if any toolbar implementations have bugs in them). Even just asking users to install a new security or chrome toolbar is an open invitation to phishing folks and spammers to invite you to install *their* "secure chrome" toolbar instead - which of course will give them all your bank details etc without them having to bother with actually spoofing sites - they can just take your data our of your web browser from the *legitimate* sites you visit - or if they can't take your data (eg: secureID tokens), they can HTTP POST whatever funds transfer <form> fields necessary to take your money in real time, the next time you use your token... It's too easy to simulate browser chrome, and too much to ask that designers take another user-interface-functionality hit to satisfy the whims of chrome advocates, and definitely way to much to ask that every browser vender on every OS implement it. This is an authentication issue, which can be done today on existing technology, without writing client-side code or forcing people to install stuff (which - lets face it - even if chrome got rolled out - would take a decade to become ubiquitous anyway). If backpackers can't check their email in Timbuktu, hotmail can't use secure chrome. Kind Regards, Chris Drake
Received on Monday, 12 June 2006 15:40:41 UTC