Transparent and Usable Security Workshop

16 Mar 2006

See also: program with links to slides, IRC log

Thomas Roessler
Chaals, Jose, Mez, Mike B., Alan, Mez


  1. Candidate Technologies III: Protocols
  2. A Confidence Model of Web Browsing - Prasanta Behera, Naveen Agarwal; Yahoo, Inc
  3. Approaches to Simplify Server Authentication - Frederick Hirsch, Nokia
  4. Applying Context to Web Authentication - John Linn
  5. How sites can manage HTTPS when users dont - Andy Ozment et al.
  6. Candidate Technologies IV: Identity
  7. Identity 2.0 - John Merrells, SXIP Identity
  8. Identity Rights Agreements and Provider Reputation - Kaliya Hamlin
  9. Identity Metasystem - Michael Jones, Microsoft
  10. Candidate Technologies IV: Identity (panel discussion)
  11. Closing Panel preparation
  12. Improving Internet Trust and Security - George Staikos; KDE
  13. Sending the Right Signals, Mike Beltzner, phenomenologist mozilla corporation
  14. Security for users and browsers. Charles McCathieNeville (Opera)
  15. Candidate Technologies V: Browsers (panel discussion)
  16. What have we learned from these last two days? - Dan Schutzer
  17. Conclusion, thanks to the host
  18. story about connection



Candidate Technologies III: Protocols

<scribe> Scribe: Chaals

<scribe> scribenick: chaals

A Confidence Model of Web Browsing - Prasanta Behera, Naveen Agarwal; Yahoo, Inc

PB: we are in login / identity group...
... we are talking about an idea we hav been kicking around for a couple of months. Haven't prototyped it yet - will obviously need work.

slide 1: Problem.

PB: most of this has been discussed. Authentication is just one part - once a user has authenticated the whole interaction needs to be "safe".

NA: Main querstion - how does a company with multiple domains assert that they are all the same organisation

PB: SSL-only won't do the job
... pricing, deployment problems
... multiple domains - Yahoo, flickr, deli.cio.us ...

Q: Just management, not SSL performance?

NA: Performance is also a problem - makes a big difference in content stuff like flickr
... for banking it is important, but for general browsing it has too big a hit on servers and transfers.

PB: There is a lot of content that doesn't need to be secured.
... there is a model where you can decide on sites you want to trust - put a URI into a list. Kind of works, but you have to select each URI
... only works for HTTPS.
... so not scalable for large deployment case

Q: You want the user to know they are on teh authenticated site, but concerned about the overhead of SSL?

NA: Those are some of the problems. Also SSL only says transmission is secure - doesn't let you assert that you are dealing with the same company over a collection of domains

<chaals_> [I like that Yahoo does the right thing and not shift URIs when they buy existing services]

PB: Some solutions were discussed yesterday. Hashing some content...

NA: This is in addition to what a client can do - we are trying to find soething servers can do to help the client.

next slide: approach

NA: You get a token based on a browser saying they trust a service, like a shared secret

next slide: flow model

<beltzner> [this requires that the user identify a site every time they start a session, right?]

Q: What if you don't get a response from an SSL request

NA: Well, you don't mark it as trusted

Q: With multiple requests, I could send one request and get a MiM/malicious response

A: What would the hacker gain from that?

chair then asked to hold questions until the end

next slide: sample metadata

PB: There are companies trying to spoof Yahoo. So we want to capture the information of what really is yahoo.

NA: So you can say flickr.com and yahoo.com are part of the same group, using metadata - you get the same token from each domain.

next slide: confidence browsing

PB: Browser can check that the token is the same as one they got from a trusted source.

next slide: what is not addressed

next slide: conclusion

Q: Why is binding from organisation to domains browser-specific not global?

PB: Each domain should have unique data from browser, to make the token have the nature of a shared secret

Q: The problem was that I see a website made to appear like someone else's website?

PB: Where you are getting data from a lot of different domains, you want to know that you are dealing with the same overall site/company

Q: So I can fool the user into thinking they are dealing with Yahoo...

NA: This is based on having established a relationship already. If you trusted Yahoo somewhere and selected them, then the bar will show if something is not part of a trusted site
... this could be used to insert personalised recognition token into the page.
... it is hard to make the chrome foolproof - unless you are relying on something personalised to the user

TR: Time please, gentlemen...

Approaches to Simplify Server Authentication - Frederick Hirsch, Nokia

ack Hubert A. Le Van Gong, Sun

FH: looking at some approaches where single sign-on can be brought to bear on a problem
... Constrained discussion. Two organisations - Liberty Alliance, OASIS SSAML stuff
... Liberty Alliance has been around a while, done the Federation Framework (also a Web Services thing)
... talking loosely to outline an approach, not lay out a completed solution

next slide: Motivation

FH: Lot of discussion already. This doesn't direct phishing directly I don't think.
... two approaches - shared secret, and a reverse single sign-on where servers authenticate to clients

next slide: Shared secret approach

FH: No CA required... but there are other standardising issues
... discussed in previous talk.
... This brings us back to what kerberos was doing.

next slide: simplified server authentication

next slide: SSA advantages and issues

FH: you can leverage existing work.

next slide: SSA Approaches

FH: Assumes some sort of relationship among the parties
... You can use a proxy for clients that don't handle the whole lifting themselves

next slide: IDP secret approach

FH: Use an ID provider to proxy authentication of service
... The client can enforce a requirement that the service provider authenticate too, if required to authenticate to them.

next slide: IDP secret approach (second slide)

next slide: Flow diagram

FH: Like SAML but added steps for service provider

next slide: IDP Accessed as Portal

FH: Then the client doesn't need to go back and forth authenticating if it trusts a portal providing ID...

next slide: IDP Portal operation

next slide: flow diagram for IDP portal

next slide: Enhanced client or proxy

FH: Put something more into the flow
... so you know how to get to the right ID. Bunch of this stuff went into SAML.

next slide: flow diagram - enhanced client

next slide: summary

Q: clarification. problem is mutual authentication in a single sign-on context?

FH: Yes.

Q...: leveraging a ring of trust?

FH: Right.

Q...: How does this compare to other approaches to site authentication

FH: Didn't think about it :)
... this is a presentation of another idea, but not comparative
... Oh. Hang on. This doesn't assume an authentication mechanism per se. There are various techniques that could be plugged into this approach.

Q: Trying to understand difference between this and static authentication. ... what are benefits?

FH: Client doesn't need to do a lot of crypto/PKI
... underlying is still the authentication infrastructure

Q: Under enhanced client / proxy you assume there are no requirements for changing client. that is if it knows about the IDP, right?

FH: Right...

Applying Context to Web Authentication - John Linn

John Linn et al.

next slide: Overview

next slide: Web Authentication Today

JL: The situation today is not very pretty...

next slide: user authentication flow, decomposed

JL: There are various points of attack available
... but in the happy case you get data to the site...

next slide: authenticator data: 3 reusability classes

next slide: Partially reusable data - example context dimensions

JL: Make the data something that makes no sense outside some aspect(s) of the original context(s)
... the more dimensions of unique contextual value, the better your protection

next slide: Protecting evidence in a destination context

next slide: aspects of approach

JL: Password is a deterrent - not necessarily guaranteed, but can be made relatively pointless...
... to break down

next slide: safeguarding the evidence

next slide: mutual authentication

JL: User Interface design here is important...
... you can say "here is what we found, what do you want to do", or interpret and act on behalf of user. Perhaps neither is the right universal approach

next slide: standardisation prospects

next slide: concluding observations

Q: ??? licensing ???

Q: We have told users about trusted paths, but they still click dodgy links in email. Could I still do that...

JL: Think it is a fertile ground for thinking about it

Q: (comment) How do we put good password protection in browser? How do we generate critical mass for this technology? Would be no brainer to dump dig-auth in a form. I want mechanism that lets me buy an auth token, I am happy to get a plugin to use that, but there still needs to be some some glue for the transport. But I then want to use that anywhere... without being bothered by patents etc. That's stnadardisation question - then where do we do the work - w3c, ietf, ...?

JL: For deployability the ideal is to change nothing. Which is not possible.
... so question is what is the simplest change we can make

Q...: Think we can make one change...

Q: Nice idea. We have been working on a similar one. Problem - passwords can be broken. Better solution would be zero-knowledge password proofs - we posted a position paper on this.

Q: If you embed a one time password approach, why not use zero-knowledge proof?

JL: OTP is not necessarily challenge based, so may not have the same overhead

How sites can manage HTTPS when users dont - Andy Ozment et al.

next slide: simplifying tasks and decisions

AO: Two types of tasks for users - trying to remove the https tasks

next slide: goals

next slide: what's expected today

next slide: method A request

AO: This is what we expect of users, not what they are actually doing.

<beltzner> [um, why does this slide assume that users are typing in direct urls to their login pages?]

<beltzner> [oh, wait, I get it]

AO: nothing in UI to help users decide if it is safe enough to use HTTP plain text

next slide: method B: verify

AO: users can't tell why a domain isn't the one they expected
... mistyped? trsutable redirect? attack?

next slide: tasks and decisions

AO: For an untrusted source, stop user making a mistake by preventing them from using unsafe method for trusted source, or if domain isn't recognised as safe then recheck

next slide: Why don't we have this?

next slide: proposal

<DanC_lap> (dnssec... are the relevant roots doing that yet?)

next slide: query root zone

AO: So the wonderful thing is that Alice uses the specified signed requirement to use SSL foo - no man-in-the-middle hole

next slide: ssr record's capabilities

next slide: design questions

<beltzner> I don't know why this means a user doesn't need to know whether or not they're using an SSL connection, since that's how they'll understand the nature of their connection

Q: Are you anticipating DNSSec will be implemented at browser, or OS level?

AO: anticipate it eventually in OS, but there are resolvers out there and believe browsers can do this until then

<DanC_lap> (what's the dns root's public key? where does a body get it? I'm having trouble navigating http://www.dnssec.net/ (

<DanC_lap> )

SS: Browsers need to be aware of it anyway

Q: Key management is important - who is going to manage the keys and how will DNSSec be deployed?

SS: There is a root key managed by ICANN

AO: Every zone has to sign their zone. The extra complexity is not enormous.

<DanC_lap> (huh? tlr, why is that not a discussion for here? bummer.)

Q: Wells Fargo are 100% under SSL


Q...: Security for pushing metadata down - hadn't considered putting that through DNS

<chaals_> [I'm not too keen to fetch advertising through SSL on a phone]

AO: Problem isn't in SSL - we used SSL 2 for the handshae - this secures info in advance about how to secure the connection

Q: Assuming all this works, I would think the fingerprint of my site key would be useful information to include, since I already trust DNSSec - no onger need to deal with CAs

SS: Already an IETF proposal for storing certificates in domain registry

AO: CAs still needed, e.g. to verify that a business really is themselves

Q: You have value here if you just have a policy record. You have to take account of fact that DNS is not extensible as claimed - it takes 5 years to deploy to 80% ... but you can make it work using prefix records.

Q: In some cases SSL might not be the right solution. It seems W3C could make contribution

<beltzner> scribenick: beltzner

Q: (Jeff, Google) Should we have some sort of standard around metadata infrastructures like DNSSEC?

A: (Naveen, Y!) Yes, that's our assertion. Details need to be worked out.

Q: (Mike mcorkmik) I'm guessing that the service provider would still want to do SSL, so would the IDP model be an alternative trust model? Anybody could get a CA, but enhanced trust could come from an IDP, which is more foaf-like.

A: (Andy) Yes, I think that sounds right.

Q: (Tyler, HP) It occurs to me that there's two issues about SSL, but the "https://" bit, as well as the domain name itself. Perhaps we should just create a standard that says "every domain starting with ssl. should be an ssl site?"

A: (Stuart, Harvard) Our goal was to take this decision out of the user's cognitive domain, so I'm not sure that meets our goal.

jose-ny: thanks for switching back to DSL
... thanks thanks thanks thanks thanks

<chaals> PLEASE PLEASE tell people when you change the network!!!!

Q: Why haven't the browers supported the TLS upgrade stuff?

A: Um, what's the bug number? What sites are using it? Browsers can't keep up with every RFC that comes to mind

<chaals> (thanks beltzner for scribing again)

discussion about relative merits of DNSSec and update-over-TLS

Dean thinks that the browsers need to move first, protocol and browser people think that adoption needs to move first, the chicken things the egg should come first, the egg thinks the chicken should come first

<chaals> [a chicken omelette would be good about now]


Q: Confused when mixing threat of DOS and MiM; I don't think they're orthogonal problems. MiM is more significant to a bank than DOS. Food for thought.

A: General agreement.

seems like people want their coffee break

we are now back on schedule

Candidate Technologies IV: Identity

<Alan> ScribeNick: Alan

Identity 2.0 - John Merrells, SXIP Identity

"which is the Dick on my site"?

User authenticates at Homesite, used at Membersite

SXIP 2.0

DIX protocol

proposing it to IETF

Story about Beth, a bit of an Internet geek

<DanC_lap> (rel="dix:/..." should use HTML profiles)

<DanC_lap> (new dix: uri scheme... unregistered... phppht.)

She contacts Membersite which asks her for homesite id, and then contacts her homesite

<DanC_lap> (javascript redirect?!?! ugh.)

numerous slides with HTML on them buzz by

sxip.net has list of properties

<DanC_lap> (huge overlap with foaf, vcard, p3p)

sxip is not an authentication mechanism, but just moves around authentication properties

uses URLs as identifiers

can have many

discusses security implications

sxip 2.0 designed for low value transactions

<jose-ny> (how is the dix info securely binded to the page, signature? or not relevant?)

<tlr> (jose, you should ask that question during the q&a)

example of how one can save data

Discusses "Claims"

Have done a firefox plugin to do homesite function

Also applicable to Web Services

System available today, recently launched

Q: José Kahan: You are using HTML REL tag. Are you going to sign those pages? Do you do a secure binding to that page?

JM: It's only as secure as DNS. If you want more security, you can do other things.

Q: Danny: How's this different from OpenID?

JM: OpenID doesn't move identity data around, it only does authentication. ... There are privacy issues.

Q: What's your business model?

JM: The protocols are open, and we implement the end points. ... Early deployers use open source code and do it themselves. Later, more business focussed uses will pay for professional services.

Identity Rights Agreements and Provider Reputation - Kaliya Hamlin

ack Phillip Windley

Citizens manage lots of accounts with different entities

problem is growing

"User-centric identity community"

support multiple personnae

Logins imply social agreements

"EULA hell"

our goal: Create standard agreements

<tlr> Mhhh... Have they even looked at P3P?

Add "Human Readable Deed" on top of Legal Agreements

and, machine readable metadata underneath

use Creative Commons model

has gotten uptake because it's easy to use

Identity Rights Agreements

has granularity

problem is how to create good defaults

Value is sites can offer a new range of privacy options

also possible to negotiate agreeement

Trick is to avoid legal system involvement

"Service Provider Reputation"

"User Centric Identity Community"

Q: Frederick Hirsh: The reasons that EULAs are complex is that they are really complicated. How do you get around it?

JM: Creative Commons has solved that problem. Their agreements are "reflective"

Q: Prasad?: I don't get a clear picture of how the data is being used? Or am I off topic?

JM: If you wanted to collect users data, then you would ask the user to agree to that?

Q: (inaudible)

Is there a one-time thing...?

JM: If you wanted to communicate to users would be great, but up to you.

Q: John Linn: Seems some sysergy with P3P, what?

A: I'm not too familiar with P3P. There has been some work. We just want it to work and have users understand it.

Q: Joseph Reagle: I'm a former P3P guy. You are back in the same space. What are we declaring and standardizing? User preferences? Site policies? How about APPL?

Danny: I commend this work. I also second the comments around P3P. A lot of people spent a lot of time developing a vocabulary about privacy, which you could use.
... The contrast between CC and this model, is that CC is for making it easy to share information.
... I can't tell to what extent the range of citizen's policies you want to express.
... Policies are for restricting information flow. My students did a project...?

KH: User's awareness of Internet insecurity is growing.
... But they click on agreements they don't trust or understand. That dissuades users.
... We want to empower people to understand what they are getting into.

Identity Metasystem - Michael Jones, Microsoft

I'm here to evangelize protocols

InfoCard a specific implementation of the protocols

"The Web is Missing an Identity Layer"

It's easy to spoof in the online world

our Goal: Web Authentication Solution

Identities consist of a set of claims

Lessons from Passport

successful for MSN, but not for Internet in general

Set of principles "The Laws of Identity"

Solution to up layer of abstraction" "Identity metasystem"

<beltzner> [meta protocol, eh? sounds like MSFT is cribbing off of IBM! ;)]

Separate the identity transport from identity types

Relying Parties, Subjects and Identity Proveders


<beltzner> hopefully this flash demo will be available on the website

user clicks on "use identiry card", and a new window pops up

shows a set of "cards", some of which are acceptable

you click on the card you want to use, and you are signed in

(goes through first time to store experience)

uses high value certificates

<DanC_lap> (questions: phone number and postal address, along with logo? how do I go from desktop to laptop/cellphone etc.?)

prevents phishing because you'll get a different screen than you normally get from a site you know.

<DanC_lap> (todo: study "claim schema", since its user interface isn't web forms)

site tells what identity info it wants

present implementation isn't storing really valuable information

<DanC_lap> Jones says infocard initial implementation will have no high-value identity info in the schema. no national-id, cc #

leaves open for high value identity providers

data is kept at identity provider site

can be retrieved with a Web Service

<beltzner> (hm - data storedat the provider; local cache? offline use? interesting, though)

<DanC_lap> Jones: visa lets us say they're thinking about payment where the CC # isn't sent; just a digital coupon. [i.e. SET, that kerberos echeck thing]

can avoid transmission of credit card numbers, by presenting "claims"

<Robert_Capps> (is this limited to a single machine, what about multiple users on a single machine?)

<beltzner> (I'd imagine, but am not sure, that it will be associated with the user profile)

<Robert_Capps> (many home users share a common profile between many family members)

<DanC_lap> (a web services endpoint reference. :-( )

Can use USB devices as "Web Services endpoints"

<DanC_lap> Jones: if you use multiple machines, you have to import/export. not great for kiosks

<beltzner> (I think this pragmatic v1, v2, v3 approach is what needs to be done - good on MSFT)

<DanC_lap> ... for v1, anyway

V1 works in "PC scenarios"

All based on Web Services

System can do claims transformation between different systems

<jose-ny> (how many CA will this support? Seems like only one? No icon to identify different CA?)

<jose-ny> (interested in knowing what is the performance scalability of the ws-* implementation :)

"a few HTML extensions"

<jose-ny> extensions for using infocard with web browsers, without SOAP

<DanC_lap> (where's the spec for these HTML extensions? is it in his position paper?)

<DanC_lap> identityselectors.org

screen fills with XHTML

<DanC_lap> urn:schemas-microsoft-com (unregistered, last I checked)

<DanC_lap> wild... in the object syntax, it's http://schemas.microsoft.com

Q: Ian Fette: You said self-issued certs were limited in scope. Is that built in, or just an implementation choice?

MJ: That's just what we did at Microsoft. Others can do more

Q: ?: What's that security thing?

<beltzner> (can't find any APIs for Infocard on the MS site, but that's probably my problem ;) )

MJ: It's something we've had since Win2K. We're beefing it up.
... No access to identity store except through UI

Q: Is the window you select the card running in the same desktop?

MJ: No. It's like Ctl-alt-del

Q: Licenses?

<beltzner> Q: any licensing issues?

<beltzner> (oh, you heard!) :)

MJ: Any user can freely implement.

Candidate Technologies IV: Identity (panel discussion)

Jeff_Nelson: We believe in trust in the UI. How can this interface address those issues?

MJ: One of the reasons the identity selector is not spoofable is that the identity cards are not disclosed(?)
... The malware can put up the chrome, but not get to your cards.

<jose-ny> (laugsh at quote from Talking Heads)

Dave_Jeske: How does a card get into the store?

MJ: That's equivalent to how the identity provider decides to issue you an identity.
... we have no opinion. That's up to the identity provider.

Q: How you you personalize it?

MJ: When you create the self-issue cards, you have a bitmap. When you install, you create an XML file with a Web Service reference.

Chuck_Wade: The financial services industry is regulated. You use of terminology of identity seems to be different among you.

KH: We (identity commons) talk about that a lot. Self asserted identity; third party verification of those assertions. They are different.

JM: We (SXIP) didn't worry about the definitions earlier. I was surprised when I came into this space. The disconnect is to be bridged between real things and digital things.
... Banks do that

<DanC_lap> (developing terminology like this is the sort of thing that wikis are good for. I wonder if the identity commons wiki binds terms like identity, persona, attribute, claim)

JM: I try to dodge the philisophical questions. People should understand the different cards like the do the different cards in their wallets.

Danny: Chuck, did that answer your question?

<jose-ny> (authentication == verification of identity)

Chuck: No. It's a question of how you communicate to the public. Identification vs authentification. We have a lot of difficulties to deal with. How do we go forth with consistent terminology.
... We have work to do.

GS: KDE: When is the last time your wallet popped up an error message?
... A spoofer could pop up a window that looks like your window.

<beltzner> george is thinking about this wrong, I think

<beltzner> if they get the password, they don't have the infocard

JM: If people get into the habit of not using a password, they won't be tricked so readily.

<chaals> [Isn't one in a million good enough results for phishing?]

<beltzner> [sure, but I don't understand what information they'd have]

JM: When we started, we could only stop 30% of phishing attacks. Current system stops 97%. The 3% are 13 year-old boys who will answer anything.

<Robert_Capps> (this is mitigation of risk, not elimination of risk)

Shivram: (didn't get a comment)

Eve_Maler: You mentioned Sun. We are not coauthors of WS-Trust. You were equating SAML with X.509, etc. As a SAML creator, it wouldn't be a matter of a meta-system, but of switching protocols.

<Mez> (what's the x.509 protocol? PKIX? SSL?)

JM: All those come with a protocol. I don't want to suggest that work isn't required. They will have to implement WS-Trust, and use the alternate protocol suite.
... If they want to participate in the metasystem, it's not hard to bolt one more protocol on.

PHB: Never use "identity" if you can use "identifier".

<DanC_lap> (Chuck gave a +1 to "never say 'identity' if you can get away with 'identifier' or 'authentication')

<beltzner> (the rest of the audience said "ew", though)

<Mez> another link on how a certain demographic is easier to subvert with certain social engineering techniques

<Mez> http://www.schneier.com/blog/archives/2006/03/basketball_pran.html

PHB: In Europe, cards have identifiers built in. I think we'll start seeing readers soon.

KH: There's a whole lot going on on our WIKI about this. Come to the workshop.

<DanC_lap> http://www.identitygang.org/

Closing Panel preparation

Danny: We set the goal to see if there is a common space where we can work together. We're going to have one more panel from the browser developers.

<DanC_lap> irony... gotta log-in

From 3:30 to 5:00 we will wrap up.

<beltzner> agreed

<beltzner> thx Alan, for the scribing

<DanC_lap> eek... minuting of djw's list of 3 seems importatnt

<beltzner> DanC_lap: if he wants to update the agenda, he should update the agenda

<jose-ny> ScribeNick: jose-ny

second area: mutual authentication, citizens credentials, incorporating into existing frameworks...

thrid area: browser security best practices

<DanC_lap> I agree, beltzner ; I don't care how it gets into the web (program page or IRC log), but it needs to get there

scribe-nick: jose-ny

Improving Internet Trust and Security - George Staikos; KDE

George: developer of the KDE project. Over 1000 contributors (maybe 1500), invovled in the project since 1999. One of the components of KDE is the konqueror web browser

next slide: Welecome to Konqueror

Konqueror is plugin-based... based on kde libraries

with version kde4, it will be available for windows and mac, in addition to unix

next slide: our problem

Internet is broken, but we cannot fix it ourselves, because people then assume we break it

open source project.. made of volunteers, not enough resources

international project: features and standards that are used have to work in all countries. US and Canada may be the smaller % in terms of usage

next slide: Cryptography

SSL/TLS is showing its limitations now

SSL/ TLS has support for many weak ciphers and signatures... kde's dropping them, even if it breaks the internet, but makes it more secure

some of the encrypted content today can still be valuable later on, when there is more computing power to break the cyphers

usability of cryptography in sofrware is awful

suppor of PGP and S/MIME in the sofrware is really bad. Average user cannot use it effectively

next slide: Identity

The meaning of certificates used in SSL are based on the procedures of the CA that issue them.. these procedures are becoming very muddy, no acocuntabiilty

relying on external auditors

we don't consider this accetpable for any vialble secure system

next slide: Meaning of certificates/identity

No uniformity on .. ( missed this argh)

next slide: proof of identity

bi-directionality certificate verification, proof that the server knows the user, gives a better indication of verification of identity

next slide: passwords

users are familiar with passwords, easy to work with and they can be completed

KWallet, password, form data application in KDE

Multifactor authentication useful, but not usable. People try to circumvent it because of its lack of usability

next slide: Usability... is hard!

All applications should have the same uniform indicators. This will really help users. At the same time, this makes phishing very easy

<beltzner> [15 days! he needs more contributors!]

Addiing UI to the browser helps users, but one has to be careful to not overload it... long debate (15-20 days) for each new button or UI

next slide: shows an interface overload

<beltzner> [bah, I can outdo that - anyone seen the Fx with 100 plugins?]

screen full of buttons, text fields, etc.

next slide: Usability and Content

Content should not be able to manipulate the chrome, it should not be able to still user keypresses.. ajax should go out

next slide: Active Approaches to Security

OCSP, anti=phishing, live content information in the chrome, sofrware updates...

<beltzner> [where'd my WEP key sheet go?]

all of this approaches open new attack vectors... attacks on OCSP can shut down the good users too

One should be careful with them, but they are really useful

Slide Conclusion:

many problems. their solutions should be done without breaking the internet

Playing with the user agent UJI is risky and should be reconsidered

KDE UIs is not yet usable

(not sure if it's KDE or a general Our current UI)

DJW: What are the areas you want to address?

GS: We want to address all of them, but we want to be careful, not throw in new tool-bars, buttons everywhere. We want to be very careful to be sure other vendors will follow- up on what we do

to avoid confusing users

Mike_Mcormick: Do you know if the CA actually verify if the requestor of a certificate actually comes from the domain it intends to be?

GS: there are homonyms and other problems.. everything is based on the DNS system.. .dns poisoning is an effective attack

<beltzner> [Fx w/100 plugins: http://splasho.com/blog/wp-content/uploads/screenshot.png ]

Amir_Herzberg: Did you consider the possibility of having a UI to allow the users to select with CA they consider valid?

<chaals> wierd. They changed the key I think

GS: No, but it's something we can consider. Concerned with the UJI and usability.. how the average user will interact with this UI

<beltzner> (that was the one that was printed yesterday)

Jeff_Altman: I usually turn on as many options as possible in my browser. However, many web sites don't have the necessary or correct infrastructure.
... Seems you're saying that the extensiblity of protocols has not been accurately leveraged. The problem we have is how to move forward to adopt new protocols.

GS: If three major web browser vendors drop the insecure protocol features, this will give a message to web sites to follow-up (or force them)

Sending the Right Signals, Mike Beltzner, phenomenologist mozilla corporation

next slide: 20 min = 1200 sec

next slide: Mozilla's core belief

mozilla believes in innovaction, choice, and security

the two big ones are innovation and choice

but expects to become more sensitive about security

next slide: Firefox numbers

next slide: What's next

firefox 2 -- Q3 2006

plans at mozilla wik

most of the plans will be aounrd wiki

firefox3... more uji changes, 2007

next slide: Sending the right signals

O'reilly sec. and usability book is nice, but put me to sleep in some places

The one that influenced me the most is small pieces loosely joined

<chaals> who was the guy thinking aboot the web?

<chaals> oh. David Weinberger

book says how we live in a context defined by our physical / real world. As soon as we step into the virtual internet world, this context breaks down

e.g. location breaks down

next slide: then, read my paper


how to map something that gives / establishes trust into the online world

next slide: fine, here's a summary

<chaals> Pecorra, no member access?

<pecorra_> no..

Jane strolls thru manhattan for the first time... she sees some shops, just by glancing, she sees rich signals that let her guess what those shops are about

these rich signa;s don't exist online

we need better signals online

There are more phishers on the online world than in the real world, because it's cheaper, and these signa;s are not as rich, easier to forge, easier to confuse people

Telling people not to click on links on emails is @#$%

we are missing rich signals for online security, we need more education security. This could happen with hollywod

You can't build the mental model or even map to it. We need better signals

next slide: What can we do for firefox 2 /3

Slide Requirements

We don't innovate because we are hippies, but because we believe in it

People don't care that people see their personal information. They care that people don't have the choice to give away or not that information

<chaals> [so can we make this public, so invitees can see it?]

(chaals, not before cleaning the mi nutes... irc lurking yes, no participation on it)

Avoid accepting false positives. Give clear signals

Think what it means when we don't say something. If someone is first protected from a phishing attack, this doesn't mean this person is protected from all future phish. parties

next slide: Leverage new features

updates to ssl inteface

places .. use a places infrastructure to store information from petnames, trustbarr, .. applications

Make sure that any solution for anti-hishing and SSL tools has APIs so that people can innovate around it

next slide: Write an extension

In firefox we give you everything. People feel our API is our codebase

Popular extensions often get "uplifted"


(missed question and answer... something about something on the mozilla cvs server)

encrypion api?

Q: is there any kind of process to use these APIs?

A: it's quite easy, XPI, etc..

Chuck: Continuous innovation, there's a community... we keep getting lots of extensions. this happens a lot and works... like ajax... however, this has not worked for security. UI are horrible

people have been submitted bug reports for years and they just haven't been addressed. What can be done to have a better process for imrproving security. This requires care and attention

JA: Make it a univeristy project. You need someone that is going to drive that project to resolution

<beltzner> my presentation is available at http://people.mozilla.org/~beltzner/w3cpresentation/sending-the-right-signals.html

Security for users and browsers. Charles McCathieNeville (Opera)

Main concerns in opera are speed, size, and security

next slide: there is one web

the web is and goes everywhere. xhtml, css, svg, dom.. voice browsing, mail, chat... many technologies and platforms

and interfaces

Voice browsers are particularly problematic... voice state is not the same as visual state

We don't need a perfect solution, but something thst is better

next slide: The mobile web

smart phones ,..

next slide: Powerful handsets

onegrastion of telephone functions into the web

password manager in phones is crucial.. retyping a password many times shouws this

Anything that will reduce the data flow is worthwhile (expensive bandwidth cost in mobile devices)

next slide: Cheaper devices

demo of opera mini simulator

back to slide : cheaper devices.. or simple uses

old phones don't die.. they just hang around

next slide: the users... it's a big world

we want to know with whom we are dealing: bank, goverment, store, ...

people don't care much about security, until something bad happens

next slide: the browsers

we need to help users, make their life easier

cross-scripting blocks exist, people know about them, but there is no specified behavior. It is a common browser hack and it gets cracked

telling people to not do cross-site scripting because there are security concerns sounds anti-web

need cooperating between browser manufacturers

everybody cares about security and believes they are doing a pretty good job about it

<beltzner> [did I just get dissed?]

adding new features may be easier, removing them isn't... decision to add / alter something has to be done with more and more precaution

<beltzner> Mez: great point/question

next slide: write an extension.. we have grease-monkey and other things

Candidate Technologies V: Browsers (panel discussion)

Q: do you have a permanent forum for coordinate your UI?

A: No... not yet. We have been discussing about setting up that forum... It's not a formal thing, but it has started. Informally, we speak all the time

Q: When adding new features things, there will be a transition periond when the internet will break. What can we do to smooth this transition, federation?

A: there's a lot of leverage when there is a change.. everyone has to adopt this change. They need to know how they will be (or not) be impacted by the change. this will help smooth the transtions.

We need to make testing

Q: If security is important, how can we differentiate between diff. products?

A: (self-answered) the browser that breaks the least is the one that will be better seen, even if it doesn't do the right things for security

Fred_Hisch: How will all these changes to UI affect accesibility?

scratchj that q:

Chuck: there is another content that needs to be presented: content producers. Seems like a big problem is to coarce the server side to move forward

not sure if there was an answer!

Q: solutions to phishing today that resort to clickstreams have big impact on user privacy. Is there something we can do that will have less impact on privacy?

GS: not yet, but we would like to look at simpler solutions

MB: thinks that having more signals to the users is the better solution, rather than clickstreams

CMN: We don't want to make minimal ui changes because we want to say minimal. We want to make more than one change, if it's important. We want to move along if all of the browsers move at the same time. We don't want to make an experimental change that we may be stuck up for

PHB: Could we expose the x.509i information as an API, rather than having people hack at the base. Banks and other people could do extensions, prototypes, test fields.

A: (none)

<Mez> [are the problems really in the content area? I've kept assuming they were in the foundation; protocols, UI/chrome. So I'm confused by the content references.]

Amir: I'm interested as a researcher in making prototypes or code that can impact the most people and the biggest contribution. Should I choose your platform or IE?

<RalfCHauser> similarly to x509, expose TLS handshake info (e.g. hashes of the FIN messge http://www.rfc.net/rfc2246.html#s7.4.9.) such that MITM resistant auth can be prototyped with extensions (as per http://www.esecurity.ch/OHB06b.pdf)

Chaals: we have to follow IE often. Sometimes, IE follows other people

(what is lockstep?)

GS: we can't do everything together or there would be a single browser... there will be differences. Backward compatibility has been a big provlem

MB: Firefox: we don't want to see it as "you lead, we follow", rather that we all want to work together and move in the same direction

<Mez> [lock step - everyone taking each single step at the same time; no one ahead, no on behind]

Q: The fact that you compete provides you from cooperating

MB: if we solve security and as a consequence, firefox disappears, I won't feel bad

DJW: the goal is to motivate you to throw down this competition and work together to solve the security problem

What have we learned from these last two days? - Dan Schutzer

<Mez> ScribeNick: Mez

Dan S gives a summary

three topic areas to be discussed

how do we best strengthen mutual auth signals and constrain reuse of authen creds?

server to client auth

client to server auth with existing solns and stds

how do we strength the path between client and server to constrain the effectiveness of local malware on the client?

who do we create a safer browsing mode to minimize the likelihood of forgeries of indications and warnings?

what standardized as best practice?

what left for competitve differentiation?

across all 3, how asssess the usabiliy?

will be adopted

used in ways intended and not subverted

by user

a framework to put it all in too

cat 1, other kinds of signals, logo type, xul (mut authen)

related, all identity mgmt, info card, liberty, open id, etc


<scribe> ongoing ietf efforts (jeff)

improve http auth for a wide variety of prots

danny: if there's work done and can encourage, wouldn't want to redo something already done

Jeff: http auth not the strongest area of ietf suite

AmirH: prots only define info exchange. where we can contribute is other mechanism for quick adoption

unique IDs for form fillers, otp information, etc., in html

then migrate into http stack

labelling (signed) for web sites (amir). W3C has done similiar successful work in past

indicate security properties, does not contain misleading images

schema typical w3c work

protocols for distributing efficiently or securely

protocol work can work well together with ietf

frederick hirsch: give an indication in the browser too

will share with liberty once there are materials on web

Danny: summary report from this workshop will be there

Tyler: heard using pword managers good. automatic generation of passwords from browser would be useful
... different web sites have different restrictions on pword composition

DJW: xforms may help ... may suggest as best practice

Phil: mutual authen best practices currently fragmented
... fstc, antiphishing wg
... w3c can speak with authority like no other
... w3c creates standards for the web
... inbound authen and outbound authen
... inbound from consumer to bank, lots of work, w3c could be a meeting place
... (oops, he called tha toutbound)
... part not covered is inbound from bank to customer
... trusted party to user
... no where else does UI part of problem

lisa: http used for several apps that don't have forms
... webdav, she mentions 5 others

<Mez_> [and my division's rich client]

lisa: how many schemes for anti phishing would work for both sides; maybe 1 in 4, maybe 1

<beltzner> [when is notes-on-eclipse coming, anyway?]

<Mez_> [I'd tell you but I'd have to shoot you]

<beltzner> [haha]

danny: dan c and others, figure out how to rejuvenate ietf and related discussions

Lisa: 3 internet drafts on HTTP authentication

chuck: basic auth was a good idea in terms of authen from web site to end user via dialog box, but security insufficient

<scribe> ... new dialog that does mutual authentication as part of that

DJW: how many have interest

shivaram: authentication, especially password related, is what we're talking about
... large scale deployments, cannot deploy strong authentication to the client
... protocol and infrastructure work needs to be done
... browser based work needs to be done, with usability
... web services, perl, accessing web based services also need to authenticate

prashant: clarify terminology, what is identity?

Amir: server authentication, two cases - visual clues, and actual shared secret protocols

going to item number 3, safe browsing mode of some sort, scope of scripting functionality, general best practices to be specified, when user authenticating, recipient would like to know something about browser state to assess reliability

dan_s: vendors or suppliers, content guys, willing to operate under safe browsing mode, like FIs worried about spoofing
... only web pages that can appear are strongly authenticated ones, perhaps like what verisign said with an additional signature
... bank specific digital signature - signifies is a bank
... be put in that mode or put themselves in that mode

amir: a good idea. working on prototyping. related to labels on authentication of web sites.
... FIs usually protected by SSL. may want to protect other pages in a more efficient way.

Mike: turning off functionality, which breaks the web, which makes browser vendors nervous
... examination of task space when filling out forms. what taking away when see a username/password?
... make the user aware there's a request to use functionality that could be used for spoofing

<chaals> trust leads to investment, therefore risk. A safe mode that only banks can afford? Signing content as needed? A standard approach (which will take time, not just proposals, to settle out what people are going to use)

charles: we want all the things Danny said
... trust leads to investment, and investment leads to risks, don't want to blow away client's investment
... we turn off security restrictions in certain cases

what do banks have that others don't, other than a bucket load of money?

could be expensive, but since there are people with a lot of money, may give it a try

but if use cases fails, need to go back and reimplement

very little about signing content instead of how authenticate who I'm talking to

why shouldn't I trust my blog? or some other blogger?

<Alan> ³I rob banks because that's where the money is.² Willie Sutton

would be useful to lay out security hacks more clearly to content developers

mez: +1

<beltzner> beltzner: +2

mike_m: push down security policy from web site to browser, 128 bit keys, MIT suggested dnssec, fstc disussed making this part of SSL handshake

mike_b: instead of safe browsing mode, a form with a certain uesrname/password should lock down functionality just there

phil: dns security policy problem, always a downgrade attack. Not just http, email. Would be great to say mail server always offers ssl upgrade in band
... that should be handed to ietf, to not deploy a new resource record
... existing DNS does not support extension - takes 5 year

[amir making twitchy noises]

jeff: if can do it with service record, just needs to be defined for specific protocol, 1 page draft

<chaals> [I suggest a look at the mobile world, where they do this all the time]

chuck: why can't the web server find out what the browser can accept? currently configured in an unacceptable mode

<beltzner> chaals: do what all the time?

<chaals> [...look at the browser annd what it does in excruciating detail (and at some real cost :( ) ]

chuck: then web sites can take a proactive role in figuring out if things are safe

<chaals> Bye folks...

<beltzner> chaals, nice meeting you

<beltzner> chaals, safe flight

<chaals> safe home folks. Thanks Mike

topic 2 - strengthen path between server and client

Dan_s: get lower in the stack, more trusted path
... malware then can't get into this interaction
... otherwise it's reading and intercepting everything you're doing

danny: sounds like trusted computing group/base

could think of strengthening the contact

[lenovo just announced using something like tcg for drm, with biometrics]

shivaram: client could be dumb, could be smart, how can you do this?

amir: first strengthen path between user and client (did I get his point?)

dan_s: eliminate real time mitm attacks because it's sitting where you're generating one time passwords

david: distinguish between channel improvements and user/usability improvements
... all for many of the channel security improvements. have done stronger crypto in the past
... haven't hit on formula for solving the user problem
... users are not paying attention to negative signals
... solve their problem
... if ask them to ignore information in front of them, will run into trouble
... they'll do anything in front of them to solve their problem

danny: focus on usability testing. If we just did two of the many ideas, we'd have a shot a forward movement.

do user feedback in web accessability

(still david?): innovation is the way out.

petnames, browser trustmarks, only usability or limited deployments will say if they work

dan_c: some orgs here have usability labs. think about ways to share usability testing results.

tyler: not at a university with student test subjects, browsers ask users to be in tests?

beltzner: we're looking at ways to allow extension developers to get more feedback from world

push newgroups for more collaborative model

alan: large financial institutions, mock up new interfaces, have customers test them. don't those big companies do that?

mez: try doing something at SOUPS in July

(who is this? Jeff?): do appropriate networking, run surveys

dan_s: try to understand possible solutions and usability, want them to achieve objectives

friendly user test first (employees), something could be piloted

danny: mocking up extensions quickly is easier, and implementation expectations are higher

(who? can't see in the sun): can't lock folks in a usability lab for a year

have a usability labs, happy to look at proposals, would evangelize

<Mez_> [Rachna and Mez like the idea of something right before or after SOUPS]

Conclusion, thanks to the host

DJW: wrapping up... mailing list to talk on, a report that summarizes, the report will be public after participant review

thoughts on work to charter at W3C; talk to Thomas. will get out rough draft charters

thanks to Thomas and Dan S, program committee helpful, thanks to Citibank, thanks to Cisco for connectivity

stay safe out there

<beltzner> ciao, all

story about connection

<chaals> This room had no power or network. Yesterday they pulled a whole lot of cables up from a lot of floors below. Today Cisco installed a satellite system to provide the networking

<chaals> It was set up last night in about half an hour (mostly involving taking the things out of the boxes on the roof with the great view)

<beltzner> 800ms ping times; awesome!

<beltzner> [so, I guess I shouldn't pull from trunk, eh?]

<chaals> [various discussion about the satellite and how it works... ]

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2006/04/24 15:32:17 $