An attack on paypal --> secure UI for browsers

Nomen Nescio nobody at dizum.com
Mon Jun 9 22:00:08 PDT 2003 

Tim Dierks wrote:
>  - Get browser makers to design better ways to communicate to users that 
> UI elements can be trusted. For example, a proposal I saw recently which 
> would have the OS decorate the borders of "trusted" windows with facts or 
> images that an attacker wouldn't be able to predict: the name of your 
> dog, or whatever. (Sorry, can't locate a link right now, but I'd 
> appreciate one.)

It was none other than Microsoft's NGSCB, nee Palladium.  See
http://news.com.com/2100-1012_3-1000584.html?tag=fd_top:

   NEW ORLEANS--Microsoft is trying to make security obvious.

   The software giant plans to visually alter document or application
   windows that contain private information that's secured through
   Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly
   known as Palladium. Secure windows will look different than regular,
   unsecured windows in order to remind users that they are looking
   at confidential material, Peter Biddle, product unit manager for
   Microsoft, said Thursday at the Windows Hardware Engineering Conference
   (WinHEC) here.
   ...
   The border of a secured page may contain information--such as the
   names of all the dogs that someone has ever owned--to make the data
   instantly recognizable as sound to the individual owner, as well as
   difficult to replicate. A hacker can create a spoof page with dogs'
   names running along the border but, in all likelihood, not one reading
   "Buffy, Skip and Jack Daniels--and in that order," Biddle said.
   ...
   Information on secured windows will vanish if another window is placed
   on top of it or shifted to the background. Erasing the information
   will prevent certain types of attacks and remind people that they're
   dealing with confidential material, Biddle said.

   When the secure window returns to the top of the stack, the information
   will reappear, he said.

I don't see how this is going to work.  The concept seems to assume
that there is a distinction between "trusted" and "untrusted" programs.
But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be
written by anyone.  If you've loaded a Trojan application onto your
machine, it can create an NCA, which would presumably be eligible to
put up a "trusted" window.

So either you have to configure a different list of doggie names for
every NCA (one for your banking program, one for Media Player, one for
each online game you play, etc.), or else each NCA gets access to your
Secret Master List of Doggie Names.  The first possibility is unmanageable
and the second means that the trustedness of the window is meaningless.

So what good is this?  What problem does it solve?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list