RE: Yahoo's new tool for anti-phishing from Naveen Agarwal on 2006-09-13 (public-usable-authentication@w3.org from September 2006)

From: Naveen Agarwal <nagarwal@yahoo-inc.com>
Date: Tue, 12 Sep 2006 23:32:35 -0700
To: <sidners@aciworldwide.com>
Cc: <public-usable-authentication@w3.org>
Message-ID: <02b101c6d6fe$669759b0$bdcf15ac@ds.corp.yahoo.com>

Yes. The cookies are issued in login.yahoo.com domain and have information
that can be used to create a short lived link to their sign-in seal. So even
if someone has somehow found the URL of the seal, it is only valid for a
minute. 
No other sites should be able to get cookies unless there is malware/spyware
on the machine and in that case as we all know pretty much all bets are off.
 
Thanks
 
Naveen

  _____  

From: sidners@aciworldwide.com [mailto:sidners@aciworldwide.com] 
Sent: Monday, September 11, 2006 3:06 PM
To: Naveen Agarwal
Cc: public-usable-authentication@w3.org;
public-usable-authentication-request@w3.org; 'Thomas Roessler'
Subject: Re: Yahoo's new tool for anti-phishing



Naveen, 

Help us understand this a little further:  I assume the seal is stored as a
site specific cookie, tied to the yahoo.com domain.   Therefore only
yahoo.com servers should be able to pull it up, right?  Any other (phishing)
domain will fail, right? 

Thanks, 
   - Sid 




"Naveen Agarwal" <nagarwal@yahoo-inc.com> 
Sent by: public-usable-authentication-request@w3.org 


11-Sep-2006 12:23 PM 


To
"'Thomas Roessler'" <tlr@w3.org>, <public-usable-authentication@w3.org> 

cc

Subject
Yahoo's new tool for anti-phishing

	




Some of you may have already seen this. Yahoo! has implemented very easy to
use a sign-in seal to help users recognize a genuine Y! login page. The seal
is not tied to any user but to the browser/PC and to set it up a user
doesn't need to enter any username/password either. With a personal picture
it is very easy to recognize and use and there are no extra steps to perform
when doing a login i.e. the login flow remains as simple as it is today. 
  
 <https://protect.login.yahoo.com/> https://protect.login.yahoo.com/ 
  
Thanks 
  
Naveen 



  _____  


From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Mary Ellen
Zurko
Sent: Monday, September 11, 2006 9:59 AM
To: Thomas Roessler
Cc: public-usable-authentication@w3.org
Subject: Re: Status Update on W3C Security Work 
  

This story seems timely.  If consumers are going to hold institutions
accountable for phishing losses, institutions are going to demand an
infrastructure that they reasonable use to thwart phishing attacks. 

         Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.h
tml

Received on Wednesday, 13 September 2006 06:32:47 UTC