[Ietf-http-auth] Pondering some issues on the phishing draft

Sam Hartman hartmans-ietf at mit.edu
Wed Oct 24 07:55:00 PDT 2007 

>>>>> "christopher" == christopher  <christopher at pobox.com> writes:

    christopher> Hi Sam, I'd recommend something different; outside
    christopher> the box.  If you're worried about people using UI
    christopher> clues, and you need mutual auth, and you need
    christopher> per-site security (like pwdhash), it might be best to
    christopher> build all these in together in a way that users
    christopher> cannot ignore.  eg: If PayPal assigned me a yellow
    christopher> tennis shoe jpeg, and I've got to click that to log
    christopher> in, that's an elegant small part of the solution that
    christopher> solves all these problems (and, doesn't need everyone
    christopher> to have admin rights to install crypto extensions on
    christopher> every PC they use)

Personally I'm more interested in decreasing the extent to which the
document over-sells specific UI solutions rather than thinking more
outside the box.  I'd appreciate others comments.

In particular, I think we can say that strong authentication allows us
to provide confidential information to the authenticated user without
unacceptable risk that it is being disclosed to the wrong party.  So,
for example, if you use strong authentication and are using something
like sitekey to get mutual authentication, then you would not need to
rely on cookies for the image if you sent the sitekey after login.

The current document says that this confidential information will
help.  That's not clear because it's not clear that users will take
advantage of the clues.


Now, I think it would be appropriate to mention that interacting with
confidential components is something to explore.  I.E. if it turns out
that rather than ignoring the problem, people will tend to call their
bank and complain when they cannot find the right shoe to click after
they login, then your shoes could abe a part of the answer.
Personally I think this is rather unlikely to work.  However it is
different than sitekey in that you have to make some decision--you
have to click something.  With sitekey, you can more easily ignore the
image.  Of course I think the usability concerns of having an extra
step in the login process might bother a lot of people.  I don't think
it would be appropriate to recommend this or really any of the
specific UI items as anything other than something to explore.


--Sam

More information about the Ietf-http-auth mailing list