Tyler Close wrote: > OK, so after you've written the papers and the code what's the next > step along this path? > > I've implemented the petname tool, an anti-phishing browser extension. > You can find it at: > > http://petname.mozdev.org/
I briefly checked it out. It is certainly interesting. It looks like a variation of the theme where users and the browser share a common secret (in this case user written text, in some other proposal user selected pictures, or automatically calculated hashes etc.) It is also related to https://bugzilla.mozilla.org/show_bug.cgi?id=286107. Some weaknesses I thought of: * Requires diligence from the user to write something in the reminder note for sites they have visited and trust * Of course the users need to look at it and know what to expect (same issue with every piece of UI of course) * Does not exist in other browsers (could be overcome if all vendors agreed) * Kind of hard to integrate that nicely into the default look and feel where space is at premium. And remember you can't rely on the toolbar area because websites can turn that off. * Not as pretty as pictures * And although it's out of the scope of petnames, it does not provide any help to a user who goes to a legitimate looking site for the first time to determine if it would be ok to use the site As you can see, not many of them are about the technology behind this. Once the technological hurdles are passed, it becomes another difficult process of assessing of what and how things should be deployed into millions of peoples browsing experience with the least amount of intrusion while making it idiot proof. And keep in mind what Gervase said - you don't want to make a mistake with this, and change or backpedal a little later. And it should be something that can be implemented by other browser vendors if they so choose so that browsers can maintain common guidelines and it is easy to train users. > There's a fully functional Firefox extension available at that site. > The code has been written. I've also written several papers about the > petname tool and why it works. There's been an extensive review of > this work on another security focused mailing list. Now how do I go > about getting the Mozilla Security Group to review this work and > incorporate it into the main Firefox UI? If noone has the time or > inclination, how do I become a member of the Mozilla Security Group so > that I can commit the changes to CVS myself. I have extensive > experience producing security critical code, much of which has been > scrutinized by some of the best minds in the field. Please add information to the site about the following: * Some details on how it is implemented, how does it associate the "petname" with a site, where is the "petname" stored and how, and so on. People can of course read the code, but it would be nice to get a quick summary of what to look for. * Links to papers that you have written and other related articles. * Links to discussions, reviews etc. about the extension. I've posted info about this the security group and asked people take a look. But in addition to the security people you would need to win the UI people on this, which may very well be harder than winning the security people over. Personally I think some variation of the general theme of the browser and user sharing a secret might be accepted, but due to some of the weaknesses I listed above I doubt petnames as is would make it into default Mozilla. -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
