[cap-talk] "Secure Bookmark" terminology and Phoolproof Phishing Preventing from CMU

[Toby Murray]

Some on this list might be interested to know that the "secure bookmark"
term is being employed in a anit-phishing project at CMU. I haven't read
the paper so am unsure whether their use of the term is consistent with
its usage on this list (namely to denote an authority-carrying URL).

Details about their project can be found here:
http://sparrow.ece.cmu.edu/~parno/phishing/

 From the "How does it work" section of the project's homepage:

> Suppose Alice goes to her local bank branch and registers to use the 
> Phoolproof system with her bank account. This is what happens when she 
> goes to access her account online:
>
> 	Alice selects the bank’s secure bookmark on her mobile device (e.g., 
> cell phone).
> 	* The device opens a browser on her computer and directs the browser to 
> her bank’s website.
> 	* The browser retrieves the bank’s certificate and forwards it to 
> Alice’s mobile device.
> 	* The mobile device verifies the bank’s certificate and sends Alice’s 
> certificate, along with a signature.
> 	* Alice logs in with her username and password.
> 	* The server verifies Alice’s certificate, username, and password.
> 	* Alice uses the website as she normally would.
>
> It's easy — Alice types in her username and password (as usual) and 
> presses a button on her mobile device. With minimal effort, she can 
> rest assured that she set up a secure connection with the right website!
>


-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.