- From: Stuart E. Schechter <ses@ll.mit.edu>
- Date: Fri, 05 Jan 2007 08:14:54 -0500
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- CC: <public-wsc-wg@w3.org>
> Interesting. I keep thinking part of the problem is trying to define all > of security, instead of the parts that matter (protection from prying > eyes, figuring out who you're talking to). Those don't strike me as > categories too subtle for humans, since there are obvious human analogs > (in a sealed envelope vs with a signature, for example). Mez: There's a difference between humans understanding security in theory and putting it ito practice. When given a chance to evaluate a threat model and security system in theory, a respectable fraction of people _might_ be able to choose the correct type of security. However, in practice, threat models have gotten much harder to understand and its hard enough for the professionals to get this right. The level of security you need depends on all sorts of questions about what you might do at a site and how you negotiate trust. Say I'm logging into a service for the purpose of proving I'm a subscriber (e.g. consumer reports magazine). If I'm authenticating myself with a PKI client certificate the authentication only serves to prove I've paid for a subscription, eavesdropping protection that can be defeated by a MITM attack may be enough. The same is true if I'm authenticating using a password unique to the subscription service. However, if I've used the same password for consumerreports.org that I use for my email service, maybe I need have MITM protection. If when I resend my banking password a new password is sent to me by email, then I surely need MITM protection for my email! Will the average user think about all these things compounding issues when trying to quickly login to consumerreports.org after seeing a scary story about infant car seats in the news? I'm very skeptical. It requires them to put what may seem like simple concepts (types of envelopes) into practice in very complicated environments with evolving threat models. While I'm not sure that the providers of websites can be made to understand these threat models, the odds are better for them than for the end users. I received a great example last night of how users make the wrong decisions even when the threat models are ancient and the technology easy to understand. After making a web purchase I received a call from a company that purports to perform security checks for my financial institution. They said they wanted to confirm that it was really I who made the purchase. The system that called me had no recognizable number from caller-ID. The system asked for the last 4 digits of my social security number to authenticate me (odd since they had called me). I did not offer an option to bypass entering these credentials (I entered '0000'.) Because FI security companies have successfully deployed this, I can only assume that the vast majority of customers will in fact provide those 4 digits to anyone who calls purporting to be a security company representing their bank. This should be one of those easy threat models to understand (if somebody calls you at your number, it's their job to authenticate themselves before asking you to do so). Cheers Stuart
Received on Friday, 5 January 2007 13:14:51 UTC