Re: Authentium from Mike Beltzner on 2007-07-30 (public-wsc-wg@w3.org from July 2007)

From: Mike Beltzner <beltzner@mozilla.com>
Date: Mon, 30 Jul 2007 18:27:53 -0400
To: Serge Egelman <egelman@cs.cmu.edu>
Cc: michael.mccormick@wellsfargo.com, dan.schutzer@fstc.org, tlr@w3.org, public-wsc-wg@w3.org
Message-Id: <51A73A78-CEF9-4449-B88E-EE00FDE67F4F@mozilla.com>
That's a fair point. I guess I was hoping that we could convince the  
organizations that wanted a safe browsing mode to require the use of  
their own client app for a login that does anything significant, with  
that password hashed or whatnot. Though that does destroy the  
universal access aspect of a lot of online applications.

I'm not sure, though, that Safe Browsing Mode was meant to combat  
phishing as opposed to providing an opt-in mechanism for users to  
ensure that they're using a secure connection. I don't see, for  
instance, how a safe browsing mode defeats the spear-phish, either.

Maybe you're saying the same thing. :)

cheers,
mike

On 30-Jul-07, at 5:04 PM, Serge Egelman wrote:

> While that's certainly a better idea than the original proposal, the
> question still remains: when a user does receive that message from
> "their bank," will they still click on it and be fooled by whatever
> opens in their web browser?  All the current literature out there  
> says yes.
>
> serge
>
> Mike Beltzner wrote:
>>
>> I think that fails as it creates an idea of a private web. I'm all  
>> for
>> single-web-app-specific browsers (note: at an implementation level,
>> these can actually be very small config files which just restrict a
>> loaded instance of a browser) distributed by the party with the trust
>> relationship between the user, should be used as a way of creating a
>> reliable and private communication path. No URL bar, no loading  
>> clicks
>> from email, the message becomes "Get the WhateverBank Home Banking  
>> Tool
>> and manage your money!"
>>
>> cheers,
>> mike
>>
>> On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:
>>
>>> The line is blurry at best.  The browser I saw demo'd came pre- 
>>> loaded
>>> with shortcuts for about 30 popular web sites.  It's not specific  
>>> to one
>>> site (although it can be packaged that way).  So to me it seems  
>>> similar
>>> to SBM which also would come with a restricted list of trusted web
>>> sites.
>>>
>>> -----Original Message-----
>>> From: Mike Beltzner [mailto:beltzner@mozilla.com]
>>> Sent: Monday, July 30, 2007 2:53 PM
>>> To: Dan Schutzer
>>> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
>>> Subject: Re: Authentium
>>>
>>> To be clear, I don't think this is "secure web browsing". I think  
>>> this
>>> is a "Some Bank's Home Banking Application" that happens to,  
>>> under the
>>> covers, use the protocols and technologies that we call "the web".
>>>
>>> cheers,
>>> mike
>>>
>>> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>>>
>>>> I agree that there are a number of vendors, and that the idea of
>>>> talking Secure Web Browsing is that we can scale it up and get the
>>>> mainstream vendors Mozilla, Microsoft etc supporting it. I think  
>>>> the
>>>> timing might be right to start talking seriously as to how we  
>>>> can all
>>>> work together to make this happen; launch some joint W3C/FSTC
>>>> follow-on to the WSC.
>>>>
>>>> Dan Schutzer
>>>>
>>>> -----Original Message-----
>>>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-
>>>> request@w3.org] On Behalf Of Mike Beltzner
>>>> Sent: Monday, July 30, 2007 2:56 PM
>>>> To: Thomas Roessler
>>>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>>>> Subject: Re: Authentium
>>>>
>>>>
>>>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set of
>>>> binaries called "WebRunner" which is meant to make it easier to
>>>> produce a HTML client that talks to a single web-application. He
>>>> hasn't done any work vis-a-vis locking it down from a security
>>>> perspective, but we could talk to him about adding that to his
>>>> working list of requirements.
>>>>
>>>> I think there's some value into looking at organizations  
>>>> creating and
>>>> distributing website specific apps, and it fits into a model of  
>>>> "web-
>>>> backed widgetry" which is popular on mobile devices.
>>>>
>>>> cheers,
>>>> mike
>>>>
>>>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>>>
>>>>>
>>>>> (Cutting the CC list down)
>>>>>
>>>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com  
>>>>> wrote:
>>>>>
>>>>>> There are emerging vendors who offer a hardened web browser that
>>>>>> only allows the user to access certain pre-vetted web sites.  The
>>>>>> one I saw demo'd today is based on the Mozilla code base.  The UI
>>>>>> looks like a stripped-down Firefox.  While it's running all other
>>>>>> Windows programs (inc. any key loggers or other malware) are more
>>>>>> or less suspended.  Only SSL communication is allowed.  The
>>>>>> browser also uses a private DNS server to avoid DNS poisoning and
>>>>>> a signed URL list to avoid bookmark poisoning.
>>>>>
>>>>> I wonder how scalable this actually is, and how much it'll be  
>>>>> used.
>>>>> I've seen similar approaches demonstrated where the banking  
>>>>> platform
>>>>> was launched from a read-only Linux distribution (on CD), to  
>>>>> defend
>>>>> against any possible malware infestation.
>>>>>
>>>>> Regards,
>>>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
> -- 
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
Received on Monday, 30 July 2007 22:28:14 UTC