- From: Jörg Schwenk <joerg.schwenk@ruhr-uni-bochum.de>
- Date: Tue, 13 Jun 2006 13:14:22 +0200
- To: <public-usable-authentication@w3.org>
- Message-ID: <018e01c68eda$86256450$9ba2fcd9@jotop>
Dear all, due to the different time zone, let me respond to some of the mails exchanged in one mail: Spoofable Browser Chrome One year ago Sebastian implemented a complete, Javascript based spoof of IE6 SP1, including menue-, tool-, address- and statusbar, and the certificate verification dialogue. In our discussions with German banks, it is still very effective to show this as an example. Individual Browser Chrome As a fix against the Javascript spoof, we have implemented a BHO to make the Browser chrome individual. The website (in German, we are going to translate it) can be found at http://www.nds.ruhr-uni-bochum.de/research/top/ipi/visualspoofing/index.html .. The idea goes back to Tygar (1997), see also http://www.cs.berkeley.edu/~tygar/papers/Phishing/Battle_against_phishing..pd f Persistent User Identification We have submitted a paper to the W3C workshop, which was not presented, where we described a 3-party protocol between user, browser and server. The idea is to use SSL client authentication to identify the browser against the bank, and then to display a private picture of the customer together with a login form. We thus use the private key of the user as a kind of "secure cookie", which should never leave the browser. http://www.w3.org/2005/Security/usability-ws/papers/09-dortmund-reverse/ General Attacks on Desktop applications The chrome of desktop applications can also be spoofed with little effort, see http://www2.hig.no/~hannol/research/gi06p.pdf XML Security in Browsers New discussion topic: We think it would be nice to have (in addition to SSL) a Secure Chrome display for signed XHTML content (XML signature needs to be implemented). As Amir pointed out in his talk, one of the major mounting attacks to launch malware attacks is malicious content of web sites. All the best Sebastian and Joerg www.nds.rub.de www.a-i3.org -----Ursprüngliche Nachricht----- Von: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] Im Auftrag von Amir Herzberg Gesendet: Dienstag, 13. Juni 2006 07:26 An: Chris Drake Cc: public-usable-authentication@w3.org Betreff: Re: Secure Chrome Chris Drake wrote: > Hi Amir, > > Either you didn't look at googles demo, or you just got tricked by > that spoof web site? > http://guardpuppy.com/BrowserChromeIsDead.gif > > There is no browser window or popup of any kind shown in the above > picture. It's a <DIV>. It could just as easily be an <IMG> with a > <form> overlaying it via CSS. > Chris, this was very clear to me - in fact, the foils I've presented at the NYC meeting include this attack... OTOH, you may be right, there may already be enough tricks to do persistent user identification, and that may be a good technique. Can you provide a bit more detail or reference to what may be good persistent identifiers? Best, Amir Herzberg
Received on Tuesday, 13 June 2006 15:04:38 UTC