Re: Unforgeable dialog.
"James A. Donald" <[EMAIL PROTECTED]> writes: >2. Html encourages legitimate businesses to use complicated and obfuscated >actual targets for their urls, indistinguishable from those used by phishers. I think a more general extension of this is "HTML allows the use of arbitrarily sophisticated presentation attacks". This definitely isn't a capability you want to give to a malicious party, although it's way too late to shut the barn door any more. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable dialog.
-- Travis H. wrote: What changed when going from ASCII text to HTML in emails that makes phishing so much more of a problem? 1. Html obfuscates the actual target of a url. 2. Html encourages legitimate businesses to use complicated and obfuscated actual targets for their urls, indistinguishable from those used by phishers. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 2nR74Yxw4lhrh+CUYfGSzn2lhDblXe27MD4Hb6/i 47hSn6z18XB2taOFnq+uHQwDG2WEDYsgB8vYgSlkv - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable dialog.
That is a nice trick, but that still may not work entirely: if i make sure my untrusted app always opens in maximized mode, the untrusted decoration (in your case a big black border which actually _disappears_) may be unnoticed along the edges of the screen; if my app then simulates the whole desktop as it was before it started, it can draw a trusted-looking dialog anywhere on the screen... Jaap-Henk On Thu, 2 Feb 2006 18:20:21 -0500 "Trei, Peter" <[EMAIL PROTECTED]> writes: > Piers Bowness wrote: > >> This is concept is surprisingly complex. Once the attacker sees the > "secure" dialog, > what prevents them from using the same techniques > and/or code to create a visually > > identical spoof? > > (Hi Piers!) > > I actually dealt with this in a former job, where I wrote a proxy > for Xwindows which did similar decoration for trusted and untrusted > X clients. > > The trick is to invert the indicators - your rendering engine (whether > an Xwindows server, browser, or a windowing OS) has final say over > the outermost frame of all windows. > > You mark the *untrusted* ones in the outer frame - a malicous client can > do whatever it wants inside its windows, but it can't overwrite and hide > the untrusted indicators in the outer frame. (We put a fat black border > around them). > > Of course, if you run on an OS where any app can modify any binary, > you're SOL. > > Peter Trei > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > > -- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen |Gry "Rocket" (w) www.cs.ru.nl/~jhh | (m) [EMAIL PROTECTED] (t) +31 24 36 52710/53132 | (f) +31 24 3653137 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable dialog.
James A. Donald wrote: > -- > One needs to differentiate dialogs brought up from within the browser > client, which are trustworthy unless one is infected with malware, > from popups brought up by some other web page. (Of course if popups > are disabled except for specific sites, this is considerably less of a > problem.) > > How would one construct a dialog from within Firebox so that it is > obviously different from any unprivileged web page that attempts to > imitate it? This was exactly what a project in our lab addressed, a few years ago. Check out "Trusted Paths for Browsers" at http://www.cs.dartmouth.edu/~sws/research/pubs.shtml. The approach was to have trusted windows' frames flash randomly but in synchrony with an indicator window which is inaccessible to javascript etc. The flashing pattern is inaccessible to unprivileged code, so cannot be spoofed. Includes some user studies. Alex -- Alex Iliev <[EMAIL PROTECTED]> Dartmouth College Computer Science http://www.cs.dartmouth.edu/~sasho/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable dialog.
In one environment I worked in, it was important that people know what kind of data they were looking at. The way they solved it was to put a green colored border and label on one kind of data, and a red border and different label on another kind of data. This reduces usable screen area a bit, but it seemed to work. Of course this assumes that the phony emails and web pages can only control the contents of the window, not the border area or framing, but that's an obvious requirement to any such system. Similarly, at home I have a number of systems on a KVM, and I set the background color to be different on each, so that I don't get confused regarding which one I'm on. I have no idea what firebox or XUL are. Am I supposed to? What changed when going from ASCII text to HTML in emails that makes phishing so much more of a problem? -- "Whosoever is delighted in solitude is either a wild beast or a god." -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Unforgeable dialog.
Piers Bowness wrote: > This is concept is surprisingly complex. Once the attacker sees the "secure" dialog, > what prevents them from using the same techniques and/or code to create a visually > > identical spoof? (Hi Piers!) I actually dealt with this in a former job, where I wrote a proxy for Xwindows which did similar decoration for trusted and untrusted X clients. The trick is to invert the indicators - your rendering engine (whether an Xwindows server, browser, or a windowing OS) has final say over the outermost frame of all windows. You mark the *untrusted* ones in the outer frame - a malicous client can do whatever it wants inside its windows, but it can't overwrite and hide the untrusted indicators in the outer frame. (We put a fat black border around them). Of course, if you run on an OS where any app can modify any binary, you're SOL. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable dialog.
-- Bowness, Piers wrote: > Once the attacker sees the "secure" dialog, what prevents them from > using the same techniques and/or code to create a visually identical > spoof? There have been several OS-level designs to create > hardware-supported secure dialogs. Needless to say, these schemes > became exceedingly complex and had a variety of implementation > issues (i.e. special graphics hardware, drivers, TCMs, etc.) > > I don't see your proposals as providing 'secure' data viewing or > data entry solutions. IMHO, the best bet is currently provided by > layered security software where each component monitors and reports > on the others. Even this approach is temporary at best as we're now > seeing with malware that attacks by first disabling the currently > available protection layers (e.g., anti-virus, firewalls). My computer does not get malware. It regularly gets phishing and legitimate emails that are very difficult to tell apart. The techniques I discuss would make them very easy to tell apart. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 1JOeu/66DKl9KMzOvnF83U6mD6SUSbLgXtgqAEz1 4swvP0Ni9aalk9b1QtRcmLZWW2OeWw0Z77uFyH3Pj - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Unforgeable dialog.
This is concept is surprisingly complex. Once the attacker sees the "secure" dialog, what prevents them from using the same techniques and/or code to create a visually identical spoof? There have been several OS-level designs to create hardware-supported secure dialogs. Needless to say, these schemes became exceedingly complex and had a variety of implementation issues (i.e. special graphics hardware, drivers, TCMs, etc.) I don't see your proposals as providing 'secure' data viewing or data entry solutions. IMHO, the best bet is currently provided by layered security software where each component monitors and reports on the others. Even this approach is temporary at best as we're now seeing with malware that attacks by first disabling the currently available protection layers (e.g., anti-virus, firewalls). -Piers -- Piers Bowness "I know what I believe, and I believe what I believe is right." - G.W. Bush - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]