[cap-talk] Re: First point of consensus

[Tyler Close]

On Feb 8, 2005, at 4:24 PM, Ka-Ping Yee wrote:

> On Tue, 8 Feb 2005, [iso-8859-1] Tyler Close wrote:
>> On Feb 7, 2005, at 8:43 PM, Ben Laurie wrote:
>>>
>>> Tyler Close wrote:
>>>> In a phishing attack, a spoof site impersonates a trusted site so
>>>> as to intercept the high value communications between the user and
>>>> the trusted site. The introduction and creation of a trust
>>>> relationship has already occurred, and the phisher is trying to
>>>> subvert this existing relationship. To defend against phishing, we
>>>> need only prevent subversion of existing trust relationships.
>>>>
>>>> For example, people with Paypal accounts already have a connection
>>>> and trust relationship with the Paypal website. The phisher wants
>>>> to get the password for this existing Paypal account. We can defeat
>>>> the phisher by preventing impersonation of the Paypal website.
>>>>
>>>> Do you agree that the petname toolbar prevents phishing attacks,
>>>> as they are defined in this email?
>>>
>>> I agree that petnames will prevent spoofing an existing URL, indeed.
>>
>> Consensus on this point in the cap-talk list could be a valuable tool 
>> in
>> persuading browser manufacturers to include the petname toolbar 
>> feature
>> in their product. Please add a reply to this thread if you agree and
>> wish to see the petname toolbar added to browsers.
>
> I can't sign on to this because it is ill-defined.

Yes, well, I thought it hopeless to get a perfect wording and instead 
expected people to make their own adjustments, as Ben did, which, in 
your own way, I guess you have, so all's good. ;)

>   Some possible
> interpretations include:
>
> 1.  "I wish to see the petname toolbar added to browsers."
>     (My answer: Maybe.)
>
> 2.  "The presence of a petname toolbar in the browser will prevent the
>     user from giving his or her password for site X to a site Y that
>     attempts to impersonate X."
>     (My answer: No.)
>
> 3.  "If the petname bar is the ONLY means of site identification or
>     site navigation available to the user, then phishing will be
>     largely eliminated."
>     (My answer: Probably.)
>
> I contend that evaluating the security of the petname bar is 
> meaningless
> in the presence of other identification and navigation mechanisms
> (like the location bar, form submission, and hyperlinks) unless all
> the identification and navigation mechanisms are evaluated together.

Obviously the Waterken Browser represents my preferred embodiment of 
these concepts, and as you probably know, the Waterken Browser doesn't 
have an address toolbar. The dangers in leaving the address toolbar in 
the GUI are not as bad as you have argued, but the model is safer and 
simpler without it. The three attack scenarios you listed in your 
argument against the address toolbar all involve a website running a 
phishing attack against itself, not against another website.

I don't think either form submission or hyperlinks would benefit from 
any changes. I am happy to have them be evaluated as is, in tandem with 
the petname toolbar.

My biggest concern about interplay with other navigation mechanisms is 
addition of other anti-phishing features. Some have been naively 
arguing for a kitchen sink approach to the problem. I worry that such 
an approach will make the user interaction model so complex, the user 
will be befuddled.

Solving the phishing problem involves at least three very fine 
disciplines: naming, cryptography and GUI design. Getting the three to 
work in harmony while the hamsters create their normal chaos is a 
difficult feat. If we slow our progress, the hamsters will surely win.

Tyler

---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/