An attack on paypal --> secure UI for browsers
Amir Herzberg
amir at herzberg.name
Mon Jun 9 04:54:16 PDT 2003
At 18:03 08/06/2003 -0400, Tim Dierks wrote:
<skip>
> - Get browser makers to design better ways to communicate to users that
> UI elements can be trusted. For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predict: the name of your
> dog, or whatever. (Sorry, can't locate a link right now, but I'd
> appreciate one.)
Here are two...
Yuan, Ye and Smith, Trusted Path for Browsers, 11th Usenix security symp,
2002.
Ka Ping Yee, User Interface Design for Secure System, ICICS, LNCS 2513, 2002.
This issue is also covered somewhat by my article in CACM (May 2002).
Best, Amir Herzberg
http://amir.herzberg.name
> - Combine the two to allow sites to provide a user-trustable UI to enter
> a password which cannot be sucked down.
> - Evangelize to users that this is better and that they should be
> suspicious of any situation where they used such interface once, but now
> it's gone.
>
>I agree that the overall architecture is broken; the problem is that it's
>broken in more ways than can just be fixed with any change to TLS/SSL or HTTPS.
>
> - Tim
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
--------------------------------------------------------------------------------------------------------------------------------
Amir Herzberg
http://amir.herzberg.name
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list