On Wednesday 08 June 2005 07:21, Heikki Toivonen wrote: > > http://petname.mozdev.org/ > > I briefly checked it out. It is certainly interesting. It looks like a > variation of the theme where users and the browser share a common secret > (in this case user written text, in some other proposal user selected > pictures, or automatically calculated hashes etc.) It is also related to > https://bugzilla.mozilla.org/show_bug.cgi?id=286107. > > Some weaknesses I thought of:
So this is where we are in the investigation of phishing. There are researchers scattered all around the place putting together tools that reflect their thoughts. Many of these thoughts are individual and divergent, and some of them are closely related. For example, Petnames and Trustbar share common elements and have also benefitted from some cross-fertilisation of ideas simply by talking, comparing, competing. OTOH, the tool posted by Heikki the other day is new to me and I suspect a few other people, although people have been whiteboarding the pictures idea for some time. Its commonality is in sharing information derived from the site, but it isn't using user actions to create that info. Some good ideas there. There is one other big school of thought that is evolving which is the centralised database of Netcraft, and I believe some other companies are also looking in this direction. This is an important thread to watch, although because it is commercially motivated, discussion is likely to be stilted. All of these ideas are evolving, and are still raw. If asked I could sit down and write reams on how they are all useless, or on how they are wonderful. Which or whether or why is not the point, as it is simply unclear at this stage what is the ideal direction to go. What this means is we need lots of experimentation. Lots of it, oodles of it. I don't mean here that Mozilla insist on seeing papers and controlled tests on users, I mean these tools have to get out to the users and we have to figure out which are working and which not. Mozilla has a role to play here - they can promote these tools as experiments. They can promote discussion on these experiments, and can promote the interplay between experiments. They can put the people who are working on these tools together. Mozilla can also push the tools out to users and facilitate the feedback channels for user to developer experiences. But, what is not being looked for is any "decision" on this good or that bad. That will come in time, and it will be obvious, given enough experimentation, feedback, competition and the like. So when you look at these tools, I'd encourage you all to think positively - assume they aren't perfect but look at what's good in them, and think who else could benefit from those ideas. How do we find those people and bring them together? That's the real task here - coordination, interchange, and getting some way for users to give us feedback. > As you can see, not many of them are about the technology behind this. > Once the technological hurdles are passed, it becomes another difficult > process of assessing of what and how things should be deployed into > millions of peoples browsing experience with the least amount of > intrusion while making it idiot proof. And keep in mind what Gervase > said - you don't want to make a mistake with this, and change or > backpedal a little later. And it should be something that can be > implemented by other browser vendors if they so choose so that browsers > can maintain common guidelines and it is easy to train users. OK, so I hope you don't mind but I have to suggest that this approach is a mistake, IMO. What is required here is experimentation. Move forward and if it fails then rip it out and say "sorry". So what? It's hardly likely to make phishing any worse. As a perfectly fine example, there is this fantastic little experiment in Firefox - the extra padlock in the URL bar. Wonderful addition, wonderfully conceived and executed. Top marks to the guy who came up with it! Unfortunately it's a dud **. And should be removed or reworked. So, remove it, and let's get on with the next grand experiment, the next potential thing. Is that embarrassing? No way. We need more of that! .... > I've posted info about this the security group and asked people take a > look. But in addition to the security people you would need to win the > UI people on this, which may very well be harder than winning the > security people over. This is a chicken and egg situation. The UI people aren't likely to do this if the security people do not push for it, because it is a security problem. And the security people aren't likely to push for it as it is mostly a UI problem... Which is it? It's both. That's why we are looking for meta-level security and UI coordination. That's why we are looking for the security process, because normally security processes are set up to cross the boundaries between the security code silo and the application and UI silos and bring these diverse elements together. As far as I can see, it is "staff" that does that. iang ** have a look at http://iang.org/ssl/ and look at how I added the padlock to the URL bar .... sans SSL. I stole this from http://pgp.com/ who denied any knowledge of the invention. -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
