[cap-talk] Update on petname related anti-phishing work at the W3C

Tyler Close tyler.close at gmail.com
Wed Jun 27 18:50:20 EDT 2007 

On 6/27/07, Karp, Alan H <alan.karp at hp.com> wrote:
> I like the proposal a lot.

Thanks.

>  I only have some minor comments.
>
> Is the bottom of the browser window the best place for the tool?  I'm
> concerned that the user's attention will be closer to the top of the
> page.

You're probably right, but the top of the page is a cesspool from a
security point of view. All of the widgets there are displaying
messages from the attacker. I'm hoping that I can distinguish this new
chrome area from the spoiled one by going to the opposite end of the
screen. Being at the bottom also has some other advantages:
    - I figure the "attention key" will be the down arrow key which is
currently used to summon the browser's form filler.
    - It's clearer that the information is about the current browser
tab, since the tab border encompasses the bottom of the screen, but
not the top. In testing, many users are confused about the
relationship between the address bar, back button, etc and multiple
tabs.
    - It's harder to shoulder surf information hidden by your belly. ;)

> You state in 5.2.1 "Pressing the enter key with the keyboard focus in
> the text field transfers the displayed text string to a corresponding
> field in the currently displayed web page."  How do you know which field
> is the corresponding one?

The one that previously had the keyboard focus. This is explained in
greater detail further down in the proposal.

> "Users' understanding of his task" should read "User's understanding of
> his task" or "Users' understanding of their tasks"

Fixed, thanks.

> What is an "attention key"?  Isn't a user more likely to move the mouse
> to the field and click?

The "attention key" is something like the down arrow key that
currently activates the form filler. This sequence allows me to know
where to put the selected text string.

> Does the user's password in the tool appear in the clear or obscured?

I was thinking in the clear, but I realize some people may balk. What
do you think?

> Define "similar" when referring to petnames.

Just using one of the similarity algorithms like Google does, or
MS-Word does. For example, type "Amazom" into Google. Should also do
substring matches.

> 5.4.3: Does this approach address the "Bank of the VVest" problem?

I think so. Can you explain the threat in more detail?

> 5.7.2: Perhaps I got a new credit card number because I realized I'd
> been phished.  In that case, I don't want the new number to appear to
> have been given to places that got the old number.

Are you saying you want to be able to delete a petname and its
corresponding history?

> 5.7.3: How does the user agent get the list of trusted certificate
> authorities?  Are they taken from the browser?

The user agent is the browser, and so yes, it's the list of
certificates built into the browser.

> How do you deal with http sites?

No support provided. Your browser will refuse to form fill your
secrets into a plaintext comm channel. I'll write this in more
explicitly.

Thanks,
Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/

More information about the cap-talk mailing list