[cap-talk] "Secure Bookmark" terminology and Phoolproof Phishing Preventing from CMU
Mark S. Miller
markm at cs.jhu.edu
Thu Sep 7 21:35:17 CDT 2006
Toby Murray wrote:
> Some on this list might be interested to know that the "secure bookmark"
> term is being employed in [an anti]-phishing project at CMU. I haven't read
> the paper so am unsure whether their use of the term is consistent with
> its usage on this list (namely to denote an authority-carrying URL).
> Details about their project can be found here:
I don't know yet either, but from their paper, it seems they don't understand
what we're doing:
> The Petname project  associates a user-assigned nickname with each website
> visited. If the browser loads a page from a spoofed web site, the nickname
> will be missing or wrong – the approach relies on users to notice either case.
> In addition, users will likely choose predictable nicknames (e.g., nicknaming
> Amazon.com’s website “Amazon”), making nicknames easy to spoof.
> 39. Waterken Inc. Petname tool. http://www.waterken.com/user/PetnameTool/, 2005.
Your paper doesn't include email addresses, and the web page only had your's.
Could you please forward the following question to your co-authors? You are
all invited to join the cap-talk list
<http://www.eros-os.org/mailman/listinfo/cap-talk> and respond there. Thanks.
Your text above clearly states "user-assigned", but you still think spoofing
is an issue. Why does it matter if an attacker correctly guesses that my
petname for Amazon.com is "Amazon"? What attack does this enable?
For more on petnames, please see
<https://www.financialcryptography.com/mt/archives/000499.html>. (Note: when
discussing petname systems, "nickname" refers to a distinct concept. To avoid
confusion, please do not refer to petnames as nicknames. Thanks.)
Text by me above is hereby placed in the public domain
More information about the cap-talk