[cap-talk] Firefox breaks the principle of identifiability
Ben Laurie
ben at algroup.co.uk
Mon Feb 7 23:29:50 EST 2005
Jed at Webstart wrote:
> At 06:54 PM 2/7/2005, Ben Laurie wrote:
>
>> Tyler Close wrote:
>>
>>> Petnames solve this problem by eliminating the name conflation. A
>>> separate namespace is used to identify trust relationships. This
>>> namespace is managed solely by the user's browser, thus eliminating the
>>> potential attacker from the name recognition process. That's how the
>>> petname toolbar solves the phishing problem, both in theory and in
>>> practice.
>>
>>
>> So how, in this system, does the user come to trust Paypal (as opposed
>> to someone pretending to be Paypal)?
>
>
> If I'm understanding the discussion so far, I think the answer is that
> the issue of trust is separate from the issue of identity. When the
> Petname is set up, the name "Paypal" is bound to an identity. Any
> trust is independent of that identity. In an effort to pretend to
> be Paypal, "someone" would have to establish another identity. Of
> course the identity Paypal is already taken.
What do you mean "of course"? By what mechanism did the user identify
the "real" Paypal? How do you know they've ever even come across Paypal
before?
> Whatever identity
> the user set up for this someone, it would be different from "Paypal".
> This seems to make "trying to pretend" inherently difficult. What
> would induce a user to use a Petname like Paypa1 that could
> be easily confused with Paypal?
A website that says "this is the Paypal website" all over it, perhaps?
> How much the user chooses to trust either the Paypal identity/Petname
> or this other non-Paypal identity/Petname is of course up to the
> user with input from others such as friends, authorities, etc.
>
> I hope I'm close to the base issue.
Indeed, but I am no closer to understanding how the user ever gets to a
state where they can do anything useful.
Try this for a thought experiment. I have a brand new laptop. I have no
petnames for anything, obviously. What do I do now? Describe the process
by which I end up with a petname for Paypal that actually links to the
real Paypal.
Cheers,
Ben.
More information about the cap-talk
mailing list