Re: Authentium

Yeah, I think we are saying the same thing.

And sure, if banks only allowed this app to login to their site, the 
problem would be largely solved.  But wait, it's already been solved if 
we work under that assumption.  There's a plethora of fancy schemes 
presented at security conferences that solve phishing.  However, no one 
uses them because 1) they require training, and 2) you lose the ability 
to check your accounts from other computers.

serge

Mike Beltzner wrote:
> That's a fair point. I guess I was hoping that we could convince the 
> organizations that wanted a safe browsing mode to require the use of 
> their own client app for a login that does anything significant, with 
> that password hashed or whatnot. Though that does destroy the universal 
> access aspect of a lot of online applications.
> 
> I'm not sure, though, that Safe Browsing Mode was meant to combat 
> phishing as opposed to providing an opt-in mechanism for users to ensure 
> that they're using a secure connection. I don't see, for instance, how a 
> safe browsing mode defeats the spear-phish, either.
> 
> Maybe you're saying the same thing. :)
> 
> cheers,
> mike
> 
> On 30-Jul-07, at 5:04 PM, Serge Egelman wrote:
> 
>> While that's certainly a better idea than the original proposal, the
>> question still remains: when a user does receive that message from
>> "their bank," will they still click on it and be fooled by whatever
>> opens in their web browser?  All the current literature out there says 
>> yes.
>>
>> serge
>>
>> Mike Beltzner wrote:
>>>
>>> I think that fails as it creates an idea of a private web. I'm all for
>>> single-web-app-specific browsers (note: at an implementation level,
>>> these can actually be very small config files which just restrict a
>>> loaded instance of a browser) distributed by the party with the trust
>>> relationship between the user, should be used as a way of creating a
>>> reliable and private communication path. No URL bar, no loading clicks
>>> from email, the message becomes "Get the WhateverBank Home Banking Tool
>>> and manage your money!"
>>>
>>> cheers,
>>> mike
>>>
>>> On 30-Jul-07, at 4:34 PM, <michael.mccormick@wellsfargo.com> wrote:
>>>
>>>> The line is blurry at best.  The browser I saw demo'd came pre-loaded
>>>> with shortcuts for about 30 popular web sites.  It's not specific to 
>>>> one
>>>> site (although it can be packaged that way).  So to me it seems similar
>>>> to SBM which also would come with a restricted list of trusted web
>>>> sites.
>>>>
>>>> -----Original Message-----
>>>> From: Mike Beltzner [mailto:beltzner@mozilla.com]
>>>> Sent: Monday, July 30, 2007 2:53 PM
>>>> To: Dan Schutzer
>>>> Cc: 'Thomas Roessler'; McCormick, Mike; public-wsc-wg@w3.org
>>>> Subject: Re: Authentium
>>>>
>>>> To be clear, I don't think this is "secure web browsing". I think this
>>>> is a "Some Bank's Home Banking Application" that happens to, under the
>>>> covers, use the protocols and technologies that we call "the web".
>>>>
>>>> cheers,
>>>> mike
>>>>
>>>> On 30-Jul-07, at 3:14 PM, Dan Schutzer wrote:
>>>>
>>>>> I agree that there are a number of vendors, and that the idea of
>>>>> talking Secure Web Browsing is that we can scale it up and get the
>>>>> mainstream vendors Mozilla, Microsoft etc supporting it. I think the
>>>>> timing might be right to start talking seriously as to how we can all
>>>>> work together to make this happen; launch some joint W3C/FSTC
>>>>> follow-on to the WSC.
>>>>>
>>>>> Dan Schutzer
>>>>>
>>>>> -----Original Message-----
>>>>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-
>>>>> request@w3.org] On Behalf Of Mike Beltzner
>>>>> Sent: Monday, July 30, 2007 2:56 PM
>>>>> To: Thomas Roessler
>>>>> Cc: michael.mccormick@wellsfargo.com; public-wsc-wg@w3.org
>>>>> Subject: Re: Authentium
>>>>>
>>>>>
>>>>> Mark Finkle, a Mozilla Technology Evangelist, has produced a set of
>>>>> binaries called "WebRunner" which is meant to make it easier to
>>>>> produce a HTML client that talks to a single web-application. He
>>>>> hasn't done any work vis-a-vis locking it down from a security
>>>>> perspective, but we could talk to him about adding that to his
>>>>> working list of requirements.
>>>>>
>>>>> I think there's some value into looking at organizations creating and
>>>>> distributing website specific apps, and it fits into a model of "web-
>>>>> backed widgetry" which is popular on mobile devices.
>>>>>
>>>>> cheers,
>>>>> mike
>>>>>
>>>>> On 30-Jul-07, at 1:57 PM, Thomas Roessler wrote:
>>>>>
>>>>>>
>>>>>> (Cutting the CC list down)
>>>>>>
>>>>>> On 2007-07-30 11:16:15 -0500, michael.mccormick@wellsfargo.com wrote:
>>>>>>
>>>>>>> There are emerging vendors who offer a hardened web browser that
>>>>>>> only allows the user to access certain pre-vetted web sites.  The
>>>>>>> one I saw demo'd today is based on the Mozilla code base.  The UI
>>>>>>> looks like a stripped-down Firefox.  While it's running all other
>>>>>>> Windows programs (inc. any key loggers or other malware) are more
>>>>>>> or less suspended.  Only SSL communication is allowed.  The
>>>>>>> browser also uses a private DNS server to avoid DNS poisoning and
>>>>>>> a signed URL list to avoid bookmark poisoning.
>>>>>>
>>>>>> I wonder how scalable this actually is, and how much it'll be used.
>>>>>> I've seen similar approaches demonstrated where the banking platform
>>>>>> was launched from a read-only Linux distribution (on CD), to defend
>>>>>> against any possible malware infestation.
>>>>>>
>>>>>> Regards,
>>>>>> --Thomas Roessler, W3C  <tlr@w3.org>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>> --/*
>> Serge Egelman
>>
>> PhD Candidate
>> Vice President for External Affairs, Graduate Student Assembly
>> Carnegie Mellon University
>>
>> Legislative Concerns Chair
>> National Association of Graduate-Professional Students
>> */
> 

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Monday, 30 July 2007 22:36:58 UTC