[cap-talk] Security considerations for cookies

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 23 12:59:42 PST 2010 

On 23 February 2010 20:10, Sandro Magi <naasking at higherlogics.com> wrote:
> This exact argument applies to the Petname Toolbar, so if you're
> suggesting this anti-spoofing scheme would fail, then so would petnames.

Absolutely. I was thinking of the petname tool as well when I wrote
that. I would like to think that there is a way to do better than
petnames, or a method that doesn't place the same burden of the user
to do something out of the ordinary in order to be secure when they're
being attacked. The system shouldn't require the user to do anything
out of the ordinary in an attack scenario, because that requires the
user to acknowledge the possibility of an attack. Cognitive/emotional
bias prevents that acknowledgement from being able to be relied upon
to be made by the user.

> If the user is suddenly presented with a theme/icon that is completely
> different, the initial shock will be sufficient to make them look twice
> and question what's going on.

I think 'will' is far too strong. I would concede 'maybe' but also
argue that there would be a reasonable proportion of users who
wouldn't question it at all. Websites update their themes all the
time.

> They will then notice that none of their
> e-mails are there, or their folders don't look right, etc.

Indeed for GMail. But I think my more general point about
'personalised theme' based authentication (to allow users to
authenticate services) still holds.

> In order to be explicit about what action should be taken, you can also
> display a prominent message with a link, "Not your account/Something
> doesn't look right? Sign out here."

You can do all of these things. But you're just shifting the
responsibility to the user. Better would be to find a way that doesn't
require the user to do anything out of the ordinary (that they haven't
done the other N-1 times they've checked their email) to be secure.

Every time the user has logged in and not been attacked in this way,
they've been trained to think of that "Not your account/...." text as
something that need not concern them. You can't expect them to take
notice of it the one time they're attacked if it has never been
relevant to them in the past. That's asking too much IMO.

Cheers

Toby

More information about the cap-talk mailing list