- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 31 Jan 2007 09:18:17 +0000
- To: Bob Pinheiro <Bob.Pinheiro@FSTC.org>
- CC: public-wsc-wg@w3.org
I quite like this idea, though there may be gotchas in how it would/could be implemented (e.g. what if I have >1 browser process running? I don't want to have to kill my linux distro download just to check my bank balance). Still, to the extent that it can be achieved, such a mostly-user-controlled safe mode would be great. Only biggish thing I'd add is maybe that there could be more than one reasonable set of rules to apply in safe-mode. For example, it could be that different rules would have to be applied inside vs. outside a corporate network. Having different rule-sets or whatever would also allow for future developments, e.g. if at some point we become confident enough in certificate status checking to make that a must for safe-mode, then one could upgrade to start enforcing that rule. And a nit: this would of course become quite a target for malware - controlling that list and associated rules would be valuable. S. Bob Pinheiro wrote: > *_Safe Browsing Mode: Definitions and Concept > > _*Safe Browsing Mode is a special browsing window or tab that would > allow a particular user to visit only those websites that have been > previously determined to be trusted. In most cases, each individual > user makes a determination of which websites are trusted. In some > cases, users may rely on other trusted parties to determine which > websites are trusted. > > Benefit of Safe Browsing Mode: User can be confident that any website > accessible via Safe Browsing Mode is trusted according to criteria > established by the user, or to criteria established by another party > that the user trusts. > > The means by which a user determines that a particular website is > trusted is not defined by Safe Browsing Mode. > > * Determination that a website is trusted may depend on visual cues > associated with Extended Verification certificates, other cues, > user experience, or any other means the user chooses. > > Websites that have been determined to be trusted are placed on a White > List by the user (or other trusted party). > > * Via conscious user action? > * Via prompt from browser based on absence from existing White List? > * Other? > > A White List would consist of, at minimum, the URL of each trusted site, > and a “fingerprint” of the trusted site's certificate. > > * Fingerprint of a certificate is defined by OpenSSL as "the digest > of the DER encoded version of the whole certificate", where > "digest" is a hash function. > > Safe Browsing Mode would allow access only to those websites whose URLs > appear on the White List, and whose certificate fingerprints match the > fingerprint stored on the White List for each corresponding URL. > > Safe Browsing Mode may be invoked in the following ways: > > * User would key in a secure attention sequence (such as > Ctl-Alt-Del) to invoke Safe Browsing Mode. This would send a > signal to the OS that the OS should invoke Safe Browsing Mode in a > browser. > * User may choose a menu item in the browser to invoke Safe Browsing > Mode. > * Invoking Safe Browsing Mode via the OS may be more resistant to > attack than invoking it from within the browser itself. > > Third party validation services, such as OCSP certificate validation, > might be included in a browser's implementation of Safe Browsing Mode. > > Safe Browsing Mode requires users to take specific actions to establish > trust in a website, add the website to the White List, and subsequently > invoke the Safe Browsing Mode tab or window. Therefore, users may only > bother with Safe Browsing Mode for websites that require users to > provide sensitive personal information. > > Industry groups such as the financial services industry could publish > White Lists of trusted sites. > > * Does browser need to query external White List? > * Do external White Lists get downloaded into User’s browser > whenever a change occurs? > > > *Safe Browsing Use Case 1: > User Creates White List > > *1. User visits website in ordinary browsing mode and determines that > the website is trusted according to criteria set by the user; i.e., cues > triggered by EV certificates, other cues, > experience, etc. > > 2. Website URL and certificate signature are added to White List. > > * > Safe Browsing Use Case 2: > Viewing Trusted Websites in Safe Browsing Mode > * > 1. User invokes Safe Browsing Mode by keying in a secure attention > sequence. > > 2. Users provides a URL of website to be visited, or uses a bookmark. > - Website will be viewable if URL is on White List and > certificate signature on White List matches certificate signature of > website. > - Bookmarks only show trusted sites on White List. > > 3. If URL is provided for a site not on the White List, user receives > some type of message indicating such. > > * > Safe Browsing Use Case 3: > User Subscribes to White List Created by a Trusted Industry Organization > * > 1. User subscribes to the “List of Official Banking Institutions That > Lend Money to Unemployed Philosphers”, published by the highly-regarded > Union of Unemployed Philosophers. > The List contains URLs and certificate signatures of banking > website that have been verified as lending money to unemployed > philosophers. > > 2. User receives a phishing email containing a link to a bank > advertising itself as providing loans to unemployed philosophers, and > offers very low interest rates on new loans. > > 3. User invokes Safe Browsing Mode by keying in secure attention > sequence. > > 4. If User clicks on link in the email and a banking website opens in > Safe Browsing Mode, User is assured that the bank is legitimate and > provides loans to unemployed > philosophers. > > 5. If the link in the email is bogus, a message appears when User > clicks the link, warning User that the link cannot be verified as > legitimate. > > > >
Received on Wednesday, 31 January 2007 09:17:27 UTC