- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Thu, 1 Mar 2007 09:53:47 -0500
- To: public-wsc-wg@w3.org
- Message-ID: <OFCD83D777.CEE81ACE-ON85257291.004DD6D8-85257291.0051D45E@LocalDomain>
George, Yngve, MikeB and Thomas have action items to help us with the robustness recommendations by documenting techniques in play with various browsers today. In parallel, we can begin to lay out categories and examples of techniques in play today, in web user agents (and in web applications) in all their forms, and techniques that we've discussed on the list so far. Here's a start. 1) Making security indicators hard to guess, thus hard to spoof correctly This is the category of security indictors that represent "shared secrets" between an entity that the user (in theory) trusts, whether it's the web user agent, or a particular web site/service. Examples include dynamic security skins (http://cups.cs.cmu.edu/soups/2005/2005proceedings/p77-dhamija.pdf), petnames (and passpet), and web site personalization techniques (http://www.w3.org/2005/Security/usability-ws/papers/21-wright-position/). Does anyone have other examples, or any better references on web site personalization or secret sharing? Something similiar but not exactly the same is Lotus Notes' display in the password prompt of a selection from a set of pictures (keychains) based on the user's typed input. 2) Designing a trusted path around security indicators I'm guessing no browsers do that in general today, but it's the classic security technique (http://csrc.nist.gov/secpubs/rainbow/std001.txt). What ctrl-alt-del provides today in some OSes. Rich clients such as Lotus Notes do not provide functions to put up displays where, for example, the security indicators at the bottom of the window are. A mode where no active content or secondary windows were allowed at all might provide this. All interactive ceremony work would fall here (I believe). For example, Web Wallet. I'm not quite sure if the password management aspect of Passpet (and others) goes here. I think perhaps it does, along with other techniques and protocols that ensure that user information only goes to the places it's already been, or where the user intends, or no where at all (protocols that prove the site has a secret without passing that secret). Other references/examples? 3) Specific techniques restricting the ability of web sites to produce displays that spoof or suppress web user agent security indicators During discussion in the f2f I heard that (some? all major?) browsers a) do not allow web content to move the edges off browser window out of the display area (which might move security indictors out of the user's view) b) do not allow web content to put up windows without a minimal subset of security or other indictors (what were they?). Are there other techniques in use or under consideration? Is that it? What have I missed? Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect
Received on Thursday, 1 March 2007 14:54:13 UTC