[cap-talk] Firefox and identifiability, small steps or large

Ian G iang at systemics.com
Wed Feb 9 09:31:02 EST 2005 

Ka-Ping Yee wrote:

>>1. TrustBar: Protecting (even Naive) Web Users from Spoofing and
>>Phishing Attacks, Amir Herzberg and Ahmad Gbara
>>http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
>>    
>>
>
>I've read that paper.  What they did is not a user study at all;
>it was merely a questionnaire.  It's certainly better than nothing,
>but it is not a user study.  For the results to be applicable, the
>tests should take place while users are actually interacting with
>a browser normally.
>  
>

I agree it wasn't much.  But it was a bit more than
just a multiple choice:


   "The second goal of the third question was to evaluate whether the 
use of TrustBar is likely to improve the ability of users to discern 
between unprotected sites, protected sites and spoofed (fake) sites. For 
this purpose, we gave users a very brief explanation on the TrustBar 
security indicators, and then presented three additional screen shots, 
this time using a browser equipped with TrustBar. Again, the screen 
shots are presented in Appendix B, and each was presented for 10 to 15 
seconds, taken using Mozilla in the Amazon web site. We leave it as a 
simple exercise to the reader to identify the protected, unprotected and 
spoofed (fake) among these three screen shots.

   "The results provide positive indication supporting out belief that 
the use of TrustBar improves the ability of (naïve) web users to discern 
between protected, unprotected and fake sites. Specifically, the number 
of user that correctly identified each of the three sites essentially 
doubled (to 21, 22 and 29).

That would rate as a simulation rather than
a field trial, I guess.  Do you have a proposal
as to how to test this?

>Moreover, the entire TrustBar model places absolute trust in
>centralized CAs even though there is no trust relationship between
>the user and the CA.  So, depending on your opinion concerning CAs,
>you might consider TrustBar to be solving the wrong problem.
>  
>

No.  What TrustBar does is permits a user to
sign off on a cert.  TrustBar does not care
whether that cert comes from a CA or not,
but it will present that information.  It does
however require (I think) an SSL connection
with a cert to base its identity on.

The primary thing about TrustBar is that the
user is asked to select a logo for a site that
she already trusts.  There on in, the logo is
presented.  (I'm a bit hazy on how the logo
is selected... I gather it is just any logo on the
site, but it can be *any* logo, and hence may
be analgous to the pet names concept.)

So in security terms, this is the SSH model,
where the problem is divided and conquered.
First there is the Introduction (which the
paper talks about in the context of PGP,
but could just as well talk about in the
context of YURLs or cryptoIds).  Then, if
the user has trust in that, she selects a
logo.  Thereafter, the browser helps her to
maintain the same context with the same
site via the logo.

As an aside, it also displays the CA's logo
or name.  This is (my suggestion which is)
related to branding and boxing the trust
model of the user.  But that's by no means
essential to the logo approach.  It just
happens to work well together, as an
approach known as defence in depth.

Both help, and both help even more when
both are there.

>>2. Zishuang (Eileen) Ye, Sean Smith: Trusted Paths for Browsers.
>>USENIX Security Symposium 2002, pp. 263-279.
>>http://www.informatik.uni-trier.de/~ley/db/conf/uss/uss2002.html#YeS02
>>    
>>
>
>The study described in this paper is not a study of phishing.  It
>tests only to see if users can distinguish trusted and untrusted
>windows according to their flashing borders.
>  
>

OK, fair comment - but bear in mind that nobody
knew phishing as phishing until 2003, even though
it has been around since 1997 or so.  And even now,
it's hard on this group to get a consensus on what
phishing is...

>(Although the synchronized random flashing of borders is a
>technically valid solution for distinguishing windows, i believe
>it is a non-starter in any real application.  Notice that the user
>study did not ask any users whether they would actually WANT to
>use a browser full of constantly flashing thick rectangles, or
>how many minutes of such use they would be able to stand before
>walking away with a pounding headache.)
>
>Has anyone heard of any studies in which users actually interacted
>with an anti-phishing tool?
>  
>

I certainly agree that the benchmark isn't high
right now.  But if you are suggesting those results
have no validity, then I guess we'll have to wait
until the paper where that is going to be argued.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the cap-talk mailing list