Hi Gerv, On 6/15/05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > The first is that the current UI does not enable even an expert user > > to reliably detect a phishing attack. This failing must be corrected > > before we have any hope of helping the naive user. All of the widgets > > in the current UI contain information provided by the attacker. The > > URL, the page content, the SSL certificate (if any) are all data > > elements provided by the attacker. > > That's not entirely true.
No, it *is* entirely true, and it is a crucial point. The URL string displayed in the Location tool is the one sent by the attacker. The displayed page content is fetched from the attacker's web server. The decision of whether or not to use SSL is based on the URL provided by the attacker. If SSL is used, the displayed certificate is fetched from the attacker's web server. The attacker has total control over what information the browser displays. The user is then asked to discover discrepancies in information that has been carefully designed for deception. This type of game is better suited to a book of puzzles than a secure user interface. > The URL is sort of provided by the attacker, > but if the domain doesn't match the domain the user is looking for, they > can notice this using the domain indicator. That's exactly what I mean by: "asking the user to discover discrepancies in information that has been carefully designed for deception". The attacker can populate the Location tool and domain indicator with a deceptively similar domain name. The attacker and Firefox create a puzzle and ask the user to solve it. This is a ludicrously bad user interaction model. It has failed in spectacular fashion, resulting in billions of dollars in losses. We need to change the model. The petname tool changes the model by displaying identification information provided exclusively by the user and outside the control of the attacker. The user now has a reference to consult, free from possible deception by the attacker. > > The recent Shmoo attack is a good demonstration of how > > difficult it can be to discover a discrepancy. > > As I hope you know, we are working on dealing with this issue. The fact > that users can be fooled by this is a problem/bug, but it's not one that > can be used to reason that our approach is wrong. The fundamental flaw in the approach is letting the attacker configure the trusted elements of the UI. Shmoo is just one extreme example of how much leverage the attacker can get from this power. To solve the problem we must take this power away from the attacker. The petname tool shows how this can be done. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
