Techniques to make security indicators robust against spoofing

George, Yngve, MikeB and Thomas have action items to help us with the 
robustness recommendations by documenting techniques in play with various 
browsers today. In parallel, we can begin to lay out categories and 
examples of techniques in play today, in web user agents (and in web 
applications) in all their forms, and techniques that we've discussed on 
the list so far. Here's a start. 

1) Making security indicators hard to guess, thus hard to spoof correctly

This is the category of security indictors that represent "shared secrets" 
between an entity that the user (in theory) trusts, whether it's the web 
user agent, or a particular web site/service. Examples include dynamic 
security skins 
(http://cups.cs.cmu.edu/soups/2005/2005proceedings/p77-dhamija.pdf), 
petnames (and passpet), and web site personalization techniques 
(http://www.w3.org/2005/Security/usability-ws/papers/21-wright-position/). 


Does anyone have other examples, or any better references on web site 
personalization or secret sharing? Something similiar but not exactly the 
same is Lotus Notes' display in the password prompt of a selection from a 
set of pictures (keychains) based on the user's typed input. 

2) Designing a trusted path around security indicators 

I'm guessing no browsers do that in general today, but it's the classic 
security technique (http://csrc.nist.gov/secpubs/rainbow/std001.txt). What 
ctrl-alt-del provides today in some OSes. Rich clients such as Lotus Notes 
do not provide functions to put up displays where, for example, the 
security indicators at the bottom of the window are. A mode where no 
active content or secondary windows were allowed at all might provide 
this. 

All interactive ceremony work would fall here (I believe). For example, 
Web Wallet. I'm not quite sure if the password management aspect of 
Passpet (and others) goes here. I think perhaps it does, along with other 
techniques and protocols that ensure that user information only goes to 
the places it's already been, or where the user intends, or no where at 
all (protocols that prove the site has a secret without passing that 
secret). 

Other references/examples? 

3) Specific techniques restricting the ability of web sites to produce 
displays that spoof or suppress web user agent security indicators 

During discussion in the f2f I heard that (some? all major?) browsers 
a) do not allow web content to move the edges off browser window out of 
the display area (which might move security indictors out of the user's 
view)
b) do not allow web content to put up windows without a minimal subset of 
security or other indictors (what were they?). 

Are there other techniques in use or under consideration? 


Is that it? What have I missed? 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Received on Thursday, 1 March 2007 14:54:13 UTC