[cap-talk] an attack on the pet name tool bar

Sat Feb 12 04:37:24 EST 2005

On Thu, 10 Feb 2005, Ian G wrote:
> If the user falls victim to this, a second pro-forma
> phish is then created with a false petname bar
> and the other details.
[...]
> So the question is, even though the pet name
> provides a useful defence against phishing, what
> is stopping the pet name itself from being phished?

A fundamental prerequisite for any trustworthy browser function
(including the petname toolbar) is for some part of the browser's
interface to be recognizably unspoofable.  Currently, browser
trustworthiness relies on the unspoofability of the window frame
(particularly its close button), the pull-down menus, the toolbar
buttons, the address bar, and the status bar.

Browsers that allow random parties to eliminate or replace these
trusted parts of the window are commiting a heinous sin.  (Just
today i received an e-mail message that asked me to follow a link
to http://220.65.28.3/webscr/ , a page that creates a completely
undecorated popup window outside of the rendering frame, covering
up the address bar with a fake address.  That IE grants untrusted
pages the power to do this is just unforgivable.)

In my opinion, the real threat to the petname toolbar is that the
significance of the toolbar's judgement (known vs. unknown) may
become devalued.  This could happen in a few ways, for example:

    1.  The user adds the petname toolbar to his current browser
        and doesn't bother to register petnames for all the
        previously existing accounts he has registered at all
        sorts of websites.  Since the toolbar says "unknown"
        everywhere, the user quickly learns that the toolbar is
        meaningless and proceeds to ignore it.

    2.  The user understands that he should register petnames to
        signify existing trust relationships.  But when setting up
        the petname toolbar for the first time, the user doesn't
        remember all the accounts he has, and forgets a few.  When
        he visits one of these forgotten sites, he realizes it was a
        forgotten site and proceeds to add a petname.  After doing
        this a couple of times, the user learns: "If i go to a
        familiar-looking site and the petname toolbar says 'unknown',
        then i must have forgotten to register a petname -- so i
        should register one then."  By getting used to this process,
        the user renders the petname toolbar useless (and even
        dangerous, since it now provides a false sense of security).

    3.  Phishers step up their attacks by editing their password-
        capturing webpages to say: "Have you installed the petname
        toolbar?  If you haven't, get it now (link).  If you have a
        petname toolbar, assign a petname to this session now.  It
        is important that you do this NOW to secure your relationship
        with us!"  (It is also entirely possible that legitimate banks
        will put up instructions that look just like this as well!)

In short, the problem is that when the user sees "unknown" in the
petname toolbar, he must make a distinction between (a) this is a
potentially dangerous site with which i have no trust relationship;
and (b) this is the site i want, except i haven't set up a pet name
yet.  The user has to make a judgement about whether or not he forgot
something, which by definition is hard to do since if you forgot
something you wouldn't remember it.  I think that in order for the
petname toolbar to be truly effective, the frequency of situation (b)
must be minimized.

If (b) happens as often as (a), or even half as often as (a), then
"unknown" will cease to mean anything useful.

I'll post some ideas i have for addressing this in a separate thread.

-- ?!ng