- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 4 May 2007 21:32:04 -0400
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, wdoyle@mitre.org, public-wsc-wg@w3.org
ACTION-197 is still marked open; I'm not sure there's a good reason for that. I believe the discussion during our call on 18 April showed that the suggestion as made doesn't work out. It's not obvious to me at this time what a workable proposal would look like, although I suspect it would need to take the form of an amendment to the PII entry bar or similar ideas. Therefore, I ask that we close this action, and leave the Wiki content about the Contextual Password Warnings idea limited to the current link into the mailing list archive. Regards, -- Thomas Roessler, W3C <tlr@w3.org> On 2007-04-23 20:55:26 +0200, Thomas Roessler wrote: > From: Thomas Roessler <tlr@w3.org> > To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> > Cc: wdoyle@mitre.org, public-wsc-wg@w3.org > Date: Mon, 23 Apr 2007 20:55:26 +0200 > Subject: Re: Rough proposal: Contextual Password Warnings > X-Spam-Level: > X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5 > > Discharging ACTION-197 (but not in the Wiki, yet, since I'm offline). > > - Hal pointed out that password sharing across different sites -- as > undesirable it might be -- is an *extremely* common habit, and > needs to be accommodated. It was proposed that a contextual > password warning feature might be adapted to recognize the > distinction between passwords that are readily shared, and > passwords that aren't. > > - Stuart noted that recognizing a password requires that it be typed > in wholly; however, a malicious site might circumvent that by > transmitting the password back character by character. > > (He's right about that, and this probably kills the obvious > technical implementation of the proposal. There might be room if > something like Tyler's PII bar took off, which I'm a little > skeptic about.) > > Source: http://www.w3.org/2007/04/11-wsc-minutes > > Cheers, > -- > Thomas Roessler, W3C <tlr@w3.org> > > > > > > On 2007-03-29 08:02:59 -0400, Mary Ellen Zurko wrote: > > From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> > > To: wdoyle@mitre.org > > Cc: public-wsc-wg@w3.org, Thomas Roessler <tlr@w3.org> > > Date: Thu, 29 Mar 2007 08:02:59 -0400 > > Subject: RE: Rough proposal: Contextual Password Warnings > > X-Spam-Level: > > X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5 > > > > Thomas, please add this to the wiki area so it can be scheduled for a > > "lightening discussion" with other recommendations this month. > > > > http://www.w3.org/2006/WSC/wiki/RecommendationIndex > > > > Mez > > > > Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) > > Lotus/WPLC Security Strategy and Patent Innovation Architect > > > > > > > > > > "Doyle, Bill" <wdoyle@mitre.org> > > Sent by: public-wsc-wg-request@w3.org > > 03/26/2007 11:05 AM > > > > To > > "Thomas Roessler" <tlr@w3.org>, <public-wsc-wg@w3.org> > > cc > > > > Subject > > RE: Rough proposal: Contextual Password Warnings > > > > > > > > > > > > > > > > > > Thomas, > > > > In looking at the page, could be that the code uses multiple URLs and > > password fields are used in a way that could be determined to be a > > security issue. This may also work with context that I think Tyler has > > been talking about user determined "safe" sites. Something in the > > order of - any page with a password field is compared against URLs or > > pages that are marked in the user agent as "restricted" or "safe" and > > attempt to determine discrepancies. If someone else does not jump in, I > > will go to the sites and look at the code later and see if what pops > > up. > > > > Bill D. > > > > > > -----Original Message----- > > From: public-wsc-wg-request@w3.org > > [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler > > Sent: Monday, March 26, 2007 7:01 AM > > To: public-wsc-wg@w3.org > > Subject: Rough proposal: Contextual Password Warnings > > > > > > Preparing for a talk, I'm going through some of our SharedBookmarks. > > > > Xia and Brustoloni had a paper, Hardening Web Browsers Against > > Man-in-the-Middle and Eavesdropping Attacks, at WWW 2005. In that > > paper they report successful user studies with two techniques: > > > > - Context-Sensitive Certificate Verification > > > > The success here is not that surprising, since there's actually no > > user override, but instructions for users how to obtain necessary > > information to secure their clients. I'm not sure how scalable that > > really is. > > > > - Specific Password Warnings > > > > This one focused on telling people very explicitly that they were > > submitting passwords in an unencrypted manner; they were looking for > > "password" type input fields (the starred ones). > > > > > > The flixster story that hit Slashdot today [1] makes me wonder if > > there is a somewhat more general good practice around helping users > > understand when they are submitting passwords "differently." I'd be > > curious to hear more about what's actually been implemented and/or > > tested in this space. > > > > 1. > > http://www.theinternetpatrol.com.nyud.net:8080/is-flixster-a-big-fat-sp > > ammer-are-they-hacking-your-aol-or-hotmail-address-book > > > > The idea would be to trigger very specific warnings when, e.g., > > > > - people submit passwords unencrypted that have only ever travelled > > thorugh TLS > > > > - people submit passwords to a site with a different TLS "identity" > > (the petnames notion of "identity" might be appropriate here) > > > > - people try to submit passwords through forms (or some script reads > > a form field, for that matter) that were used with secure password > > protocols before. > > > > Thoughts? > > -- > > Thomas Roessler, W3C <tlr@w3.org> > > > > > > > > > >
Received on Saturday, 5 May 2007 01:32:08 UTC