IRC log of security-ws on 2006-03-15

Timestamps are in UTC.

12:44:15 [RRSAgent]
RRSAgent has joined #security-ws
12:44:15 [RRSAgent]
logging to
12:44:59 [Ian_Fette_CMU]
Ian_Fette_CMU has joined #security-ws
12:45:52 [Keeper]
Keeper has joined #security-ws
12:50:34 [DanC_lap]
DanC_lap has joined #security-ws
12:53:24 [RalphS]
RalphS has joined #security-ws
13:10:45 [jose-ny]
ralphs, thanks
13:23:56 [Alan]
Alan has joined #security-ws
13:26:11 [DanielD]
DanielD has joined #security-ws
13:33:36 [Alan]
Alan has joined #security-ws
13:33:44 [Alan]
13:39:55 [jose-ny]
scribenick: jose
13:40:08 [jose-ny]
scribenick: jose-ny
13:40:18 [jose-ny]
rrsagent, where am I?
13:40:18 [RRSAgent]
13:40:18 [Phil]
Phil has joined #security-ws
13:41:49 [beltzner]
beltzner has joined #security-ws
13:42:17 [jose-ny]
Introduction: Gary Worth, CitiGroup
13:44:37 [jose-ny]
Dan Schutzer: Financial Services Consortium (?)
13:45:07 [jose-ny]
Concerned about vendor authentication on the web, and authentication of users
13:45:35 [jose-ny]
requirement is to have mutual authentication
13:46:39 [jose-ny]
they have requirements, but need to work with customers and vendors so that the infrastructure is trusted, easy to use and integrate
13:46:56 [jose-ny]
Danny Weitzner (W3C)
13:47:21 [jose-ny]
This WS is the second act of the w3c anf financial services working together
13:47:54 [jose-ny]
first round of requirements led to xml-sig, xml-enc and xkms
13:48:28 [jose-ny]
The hope is to get a clear set of requirements from this WS
13:49:03 [Alan]
Alan has joined #security-ws
13:49:27 [jose-ny]
DJW: consider that we're not considering just browsers on computers, but on any mobile device
13:50:11 [jose-ny]
DJW: W3C has workshops because it's a pretty unique opportunity to develop consensus on an area of work that can be interested, what are the common threads and where we can get some useful work done
13:50:11 [chaals]
chaals has joined #security-ws
13:50:44 [jaltman]
jaltman has joined #security-ws
13:50:46 [vircuser]
vircuser has joined #security-ws
13:50:47 [beltzner]
DJW: standard UI wasn't thought to be the solution, but a lack of shared UI metaphors for security has been identified as a weakness
13:50:54 [DanC_lap]
DanC_lap has joined #security-ws
13:51:27 [jose-ny]
DJW: We have a critical mass of people here. We should not aim at solving every problem, but try to identify short term, quick term solutions that we can get together on. Try to avoid having a long-time rec. creation
13:52:05 [DanC_lap]
DanC_lap has changed the topic to:
13:52:10 [peter]
peter has joined #security-ws
13:52:36 [jose-ny]
13:53:30 [DanC_lap]
(is there a registration results page?)
13:53:38 [jose-ny]
(Introductions of everyone in the room and their motivations... skipped)
13:53:46 [DanC_lap]
- Mike B Mozilla
13:54:08 [DanC_lap]
ff2 end of year
13:54:34 [beltzner]
if not sooner
13:54:48 [beltzner] if anyone wants to see the plans
13:54:49 [DanC_lap]
? from Yahoo
13:54:56 [DanC_lap]
? from Harvard
13:54:56 [beltzner]
13:54:59 [Phil]
Phil has joined #security-ws
13:55:11 [DanC_lap]
Drew Dean from Yahoo
13:56:06 [steve]
steve has joined #security-ws
13:56:33 [DanC_lap]
I guess has all the names
13:56:43 [DanC_lap]
but it doesn't have affiliations :-(
13:56:56 [DanC_lap]
Nelson, Google
13:57:13 [chaals]
Charles McCathieNevile, Opera software. Opera's chief standards officer, fascinated by security and trust (Yngve P is our real paranoiac - I am like the drummer hanging around the musicians). Looking for long-term work to get underway - we have started a bunch f short-term work among browser groups already, and welcome feedback on that
13:57:47 [virc2user]
virc2user has joined #security-ws
13:58:46 [chaals]
... Opera runs across mobile platforms, TVs, and various other platforms as well as desktops, and we want stuff that works for users in all those environments
14:00:31 [vircuser]
vircuser has joined #security-ws
14:00:44 [LisaDu]
LisaDu has joined #security-ws
14:02:39 [vircuser]
The wireless connection is a bit flaky, people keep apearing and disappearing
14:05:20 [beltzner]
that was a very good point, sad to have missed the name
14:05:46 [jose-ny]
Dieter Bard
14:06:35 [jaltman_]
jaltman_ has joined #security-ws
14:06:38 [DanC_lap]
DanC_lap has joined #security-ws
14:06:40 [beltzner]
chaals: you and I should just set up court off to the side :)
14:07:05 [DanC_lap]
- Andy Ozment MIT Lincoln Laboratory
14:07:24 [DanC_lap]
- Daniel J. Weitzner W3C/MIT
14:07:36 [Mez]
Mez has joined #security-ws
14:07:36 [DanC_lap]
- Peter Lipp IAIK, Graz University of Technology
14:08:02 [DanC_lap]
- Ami Grynberg Protecteer, LLC
14:08:33 [chaals]
PHB: We want something that reduces the return to the bad guys - doesn't have to be perfect, we're trying to make stuff better
14:08:39 [DanC_lap]
- Daniel Schutzer FSTC (Financial Services Technology Consortium)
14:09:21 [DanC_lap]
PHB: I'm interested in federated identity and such, but perhaps more: authentication of the bank/service _to_ the user; I think that's a hole that needs filling
14:09:38 [DanC_lap]
- Shivaram Mysore Microsoft Corporation
14:10:04 [DanC_lap]
- Amir Herzberg Bar Ilan University
14:10:34 [Danny]
Danny has joined #security-ws
14:10:56 [DanC_lap]
- Chuck Wade Financial Services Technology Consortium (FSTC)
14:10:56 [DanC_lap]
Better Mutual Authentication Project
14:11:32 [DanC_lap]
- Frederick Hirsch Nokia
14:11:46 [DanC_lap]
- Tim Moses Entrust Inc.
14:12:00 [DanC_lap]
acting chair of CA browsing forum
14:12:36 [DanC_lap]
- Daniel Dreymann Goodmail Systems
14:13:42 [DanC_lap]
- John Merrells Sxip Identity
14:14:07 [DanC_lap]
... there's a DIX WG in IETF
14:14:21 [DanC_lap]
(I also forgot to mention that I'm W3C's liaison to IETF)
14:14:39 [DanC_lap]
[missed one]
14:14:53 [DanC_lap]
- John Linn RSA Laboratories
14:14:58 [peter]
peter has joined #security-ws
14:16:08 [DanC_lap]
- Kenneth Wright II Kenneth Wright II
14:16:09 [DanC_lap]
Electronic Fraud Research
14:16:09 [DanC_lap]
World Savings Bank, FSB
14:16:32 [DanC_lap]
(that was Kenneth, not Robert, right?)
14:16:37 [DanC_lap]
14:16:38 [jose-ny]
jose-ny has joined #security-ws
14:16:52 [DanC_lap]
- Mary Ellen Zurko IBM Software Group
14:17:19 [steveB]
steveB has joined #security-ws
14:17:45 [DanC_lap]
- Moti Yung RSAsecurity Inc.
14:18:14 [DanC_lap]
- Robert Capps World Savings Bank, FSB
14:18:36 [DanC_lap]
(anybody got a pointer to that multi-factor auth advice? I suppose it's cited from various position papers?)
14:18:39 [chaals]
[for the record, a comment from Johan Hjelm in the ubiquitous web workshop (which had a lot of push for security). "Users don't care at all about privacy and seecurity - they are not interested. Until something breaks, and then they get *very* unhappy"...]
14:18:49 [DanC_lap]
- George Staikos KDE
14:19:34 [DanC_lap]
- Michael Rowan GeoTrust
14:19:56 [DanC_lap]
- Chris Bailey GeoTrust, Inc.
14:20:08 [DanC_lap]
- KIRK HALL GeoTrust
14:20:34 [DanC_lap]
- Phil Archer ICRA
14:21:09 [Phil]
Phil Archer, ICRA, an industry-funded charity working to make the Web safer for children
14:21:11 [DanC_lap]
[the view really is stunning]
14:21:34 [GeorgeStaikos]
GeorgeStaikos has joined #security-ws
14:22:13 [jose-ny]
--- First presentation
14:22:22 [DanC_lap]
Topic: Requirements, Fette
14:22:24 [GeorgeStaikos]
Is it acceptable to invite people from our organizations who are not present at the meeting to this irc channel?
14:22:31 [jose-ny]
Ian Fette: Web Security Requirements: A phishing perspective: What is usability, how are we failing?
14:22:56 [jose-ny]
The phishing problem: It's easy to fake a page and collect user information
14:23:27 [DanC_lap]
hmm... good question, GeorgeStaikos ... does anybody in the channel object to lurkers from outside the room? should I put the question to the room, or ask tlr to?
14:23:35 [jose-ny]
slide: showing a survey that requests for information
14:23:59 [DanC_lap]
(is it safe to assume that the slides will be part of the workshop proceedings? do you know, jose?)
14:24:01 [jose-ny]
what does it mean for security ot be usable, what security features dowe currently have.. how we have failed, succeded...
14:24:11 [jose-ny]
danc_lap, yes
14:24:21 [jose-ny]
and afaik, tlr said this irc channel is public
14:24:33 [GeorgeStaikos]
14:24:33 [jose-ny]
but people from outside the ws should not post questions here
14:24:47 [jose-ny]
(unless we have an open session)
14:24:50 [GeorgeStaikos]
yeah the channel is not hidden
14:25:07 [GeorgeStaikos]
jose-ny: in order to prevent that, we would need to have a moderator
14:25:37 [jose-ny]
gerogestalkos: let's ask tlr at the break (trying to listen :)
14:25:43 [GeorgeStaikos]
14:25:58 [jose-ny]
usable security: any interactions with the user should be understabdbale wby the user
14:26:02 [jose-ny]
14:26:10 [mrowan007]
mrowan007 has joined #security-ws
14:26:11 [jose-ny]
Current security features:
14:26:25 [jose-ny]
the lock in browsers (confusing ignored)
14:26:31 [jose-ny]
rsa secure id...
14:27:01 [DanC_lap]
GeorgeStaikos, I asked tlr by sneaker-net. He says yes, it's OK to invite other folks.
14:27:05 [beltzner]
what does the lock mean? does it mean I'm safe? does it mean it's already secure?
14:27:12 [chaals]
[captcha: see for example - I have a colleague who was trying to get a service in korea, and was doing fine bashing his way through the page until it came to entering the korean CAPTCHA text...]
14:27:30 [jose-ny]
slide: shows a chase manhattan login with a lock. the lock is just an image.. it doesn't say anything about the security
14:27:38 [GeorgeStaikos]
DanC_lap: thanks
14:27:58 [jose-ny]
showing just a lock, doesn't mean we are secure
14:28:41 [jose-ny]
rsa securId: vulnerable to man in the middle attack
14:28:45 [jaltman_]
jaltman_ has joined #security-ws
14:29:05 [jose-ny]
passmark sitesecure: can be spoofed
14:30:00 [vircuser]
vircuser has joined #security-ws
14:30:03 [jose-ny]
phishing toolbarrs: crying wolf problem.. shows so many warnings that people pay less attention to them
14:32:47 [peter]
peter has joined #security-ws
14:33:10 [virc2user]
virc2user has joined #security-ws
14:33:43 [Danny_]
Danny_ has joined #security-ws
14:33:49 [jaltman_]
jaltman_ has joined #security-ws
14:33:50 [jose-ny]
some points their carngeie mellon group is looking at: heuristics, semantics, trust reports (like new virus updates for norton...), off-the-band security ,user experience
14:34:15 [beltzner]
users can get phished more than once (interesting!)
14:34:25 [jose-ny]
user experience: to learn why they were not so aware, and how to train them
14:35:32 [jose-ny]
expectations for user action should be minimal. We should not expect them to not fail into phishing attacks, but make it impossible for this attack to happen
14:35:57 [jose-ny]
14:36:20 [jose-ny]
DanC: rsa secureID is vulnerable to mim attack in 60 mins. Is this a reason to dismissi it?
14:36:41 [jose-ny]
IF: no. It's just a way to say that the problem is not completely dolved
14:37:02 [DanC_lap]
DanC_lap has joined #security-ws
14:37:18 [jose-ny]
Andy G (MIT lincoln): What better education can we give users than have them defrauded?
14:37:34 [jose-ny]
IF: Education is part of the solution, but not the only solution
14:37:49 [GeorgeStaikos]
GeorgeStaikos has joined #security-ws
14:38:00 [jose-ny]
Jeffrey Abrams: Education is not just for users, but for everyone in the chain
14:38:03 [GeorgeStaikos]
someone keeps stealing IP addresses!
14:38:21 [jose-ny]
seems like a dhcp server problem
14:38:46 [jose-ny]
Second presentation: Dieter R. Bartl: Optimising authentication fetures in the web browser
14:39:50 [jose-ny]
how can we distinguish the original form the fake?
14:41:56 [jose-ny]
browsers have four properties today: address, menu bars, lock , key lock properties
14:43:19 [jose-ny]
among these features, the one users are most familiar one is the address bar.
14:43:37 [jose-ny]
the other ones are mostly uknown or hard to use
14:44:07 [jaltman_]
jaltman_ has joined #security-ws
14:45:29 [thiago]
thiago has joined #security-ws
14:45:32 [jose-ny]
falsification techniques include: domains with similar names, java script used to alter the browser (Remove address field), or to fake a secure page, or faking web sites
14:46:04 [jose-ny]
(the previous were ways to forge authentication features)
14:46:44 [jose-ny]
among these ones, the easiest and most effective fake is to attack the address field (hide it?) and second, to add a lock that doesn't mean anything
14:47:35 [jose-ny]
countermeasures to this attacks:
14:48:04 [jose-ny]
make it harder to forge sites, restrict how scripts can modify a browser
14:49:05 [chaals-]
chaals- has joined #security-ws
14:49:13 [jose-ny]
conclusion: web browsers are capable of verifying web page authenticity, but this does not work in practice: authentication requires expertise, authentication features can be faked
14:49:19 [chaals-]
[network is pretty dodgy]
14:49:23 [chaals-]
rrsagent, draft minutes
14:49:23 [RRSAgent]
I have made the request to generate chaals-
14:49:31 [jose-ny]
this is serious: phishing attacks cause financial damage and erode trust
14:49:48 [jose-ny]
and will in the end damage the reputaiton of e-business and the wbe
14:50:08 [DanC_lap]
[network has occasional glitches, but is quite good compared to the last couple places I've been.]
14:50:22 [jose-ny]
The solution needs the involvement of browser vendors and users need to be aware of these issues and feel confident about the solutions proposed by browsers
14:50:25 [jose-ny]
rrsagent, draft minutes
14:50:25 [RRSAgent]
I have made the request to generate jose-ny
14:50:33 [jose-ny]
rrsagent, make minutes public
14:50:33 [RRSAgent]
I'm logging. I don't understand 'make minutes public', jose-ny. Try /msg RRSAgent help
14:50:36 [chaals-]
[DanC, true...]
14:50:48 [jose-ny]
rrsagent, make minutes world
14:50:48 [RRSAgent]
I'm logging. I don't understand 'make minutes world', jose-ny. Try /msg RRSAgent help
14:50:59 [DanC_lap]
jose-ny, I dunno if the real-time chat should be public, without any delay or review
14:51:00 [jose-ny]
14:51:13 [jose-ny]
14:51:29 [jose-ny]
(someone) what is the relationship between a lock and its properties?
14:53:13 [beltzner]
(does anyone know if the room to the west side has a sneaky back-route to the restroom? so I don't have to walk in front of everyone ...)
14:53:15 [DanC_lap]
I gather that his point is: the risk associated with spoofing the key lock properties is higher, since users are less familiar with it
14:53:37 [jose-ny]
(oops, missed this question.. can someone help?)
14:53:38 [Robert_Capps]
Robert_Capps has joined #security-ws
14:53:59 [jose-ny]
answer: people are more aware of a key lock (icon or browser?) than the properties related to it
14:54:15 [GeorgeStaikos]
(or what it really means)
14:56:52 [DanC_lap]
Muz/IBM: indeed, I agree with [prev speaker] that an important point in your paper is: we could have a more secure version of a browser, with fewer features
14:56:56 [jose-ny]
Mez: agrees that we could consider a higher security level with less browser features. Since long time, we have had browsers adding too many features (marketing), with security following behind
14:57:10 [DanC_lap]
14:57:12 [beltzner]
that doesn't speak to the user's primary objective, though
14:57:22 [beltzner]
which is to see the funny movie where the monkey smells his finger
14:58:05 [jose-ny]
dieter: thinks it's a move in the rigth direction, but not sure if it's the 100% solultion. It's a run between hackers and sec. engineers. It is rather one step towards a better solution
14:58:10 [jose-ny]
14:58:43 [jose-ny]
Better Mutual Authentication Project
14:58:47 [GeorgeStaikos]
funny, someone just emailed the KDE core developer list with strong concerns about plans to remove features
14:59:01 [jose-ny]
xx from Financial Services Tec. Consortium
14:59:09 [peter]
peter has joined #security-ws
14:59:30 [jaltman_]
jaltman_ has joined #security-ws
15:00:23 [jose-ny]
the better mutual authentication project has participants from securities industires, financial inst & assoc, other associations, gov. associations, tech. vendros
15:01:31 [vircuser]
vircuser has joined #security-ws
15:03:09 [jose-ny]
financial industry recognizes there is a problem, and also that it cannot solve it itself. Needs cross-industry corporation: vendors, ISP provides, users...
15:04:23 [jose-ny]
potential for fraud is what has blocked the introduction of new financial servces on the existing web infrastructure
15:04:53 [jose-ny]
today's biggest problem is the MiM attack, in addition to the trad. phishing attacks
15:05:05 [jose-ny]
financial malware is tomorrow's problem... it's already here
15:07:07 [djweitzner]
djweitzner has joined #security-ws
15:07:19 [jaltman_]
jaltman_ has joined #security-ws
15:07:54 [jaltman]
looks like 00:16:B6:0C:D1:93 may be a bad access point
15:08:28 [beltzner]
yeah, I got around some badness by resetting my airport
15:08:35 [Robert_Capps]
Robert_Capps has joined #security-ws
15:09:18 [jose-ny]
we need to clean up current practice, imrrove the situation, have both short term solutions and long term plans
15:10:19 [jose-ny]
We need to get terminology everyone can understand. "Federated identity" is not a layman's term
15:11:53 [beltzner]
(do we have a link to this requirements and recommendations document? can we get one?)
15:14:06 [RalfCHauser]
RalfCHauser has joined #security-ws
15:14:23 [jose-ny]
need to establish a comprehnsive architectural framework for web authentication
15:14:29 [chaals-]
chaals- has joined #security-ws
15:14:40 [chaals-]
rrsagent, draft minutes
15:14:40 [RRSAgent]
I have made the request to generate chaals-
15:14:43 [jose-ny]
This framework should incorporate people (users) into the architecture
15:14:54 [DanielD]
DanielD has left #security-ws
15:16:13 [chaals-]
rrsagent, make minutes member
15:16:13 [RRSAgent]
I'm logging. I don't understand 'make minutes member', chaals-. Try /msg RRSAgent help
15:16:50 [chaals-]
rrsagent, make log member
15:18:14 [jose-ny]
establish new CA hierarchives that conform to financial industry policies
15:18:25 [jose-ny]
browsers should be distributed with no CA pre-established
15:18:58 [jose-ny]
15:19:08 [beltzner]
s/no// ?
15:19:10 [vircuser]
What is the confidentiality status of the meeting?
15:19:10 [jose-ny]
users should rather enable the CAs they need as needed
15:19:16 [beltzner]
vircuser: none
15:19:21 [vircuser]
nick phillhb
15:19:32 [vircuser]
So no problem if I blog?
15:19:43 [chaals-]
Meeting: W3C usable security workshop
15:19:46 [jose-ny]
what should w3c do?
15:20:12 [beltzner]
vircuser: nope, people are even allowed in this channel, afaik, but are asked to keep quiet
15:20:15 [beltzner]
phillhb: ^
15:20:17 [jose-ny]
coordinate indusstry efforts to continously improve web authentication, develop an architecture for web authentication, establish new standards for interoperable solutions
15:20:55 [jose-ny]
we need a comprehensive strategy... not just technology, short, middle, long term plans
15:21:57 [jose-ny]
true collaboration ^ cooperation is a refreshing new trend in security.
15:22:32 [jose-ny]
presenter was Chuck...
15:24:22 [Mez]
are the slides getting posted anywhere in "real" time? It's hard to read some of these
15:25:44 [chaals-]
[s/some/a lot/]
15:26:07 [DanC_lap]
DanC_lap has joined #security-ws
15:26:27 [DanielD]
DanielD has joined #security-ws
15:28:19 [DanC_lap]
-> FFIEC Releases Guidance on Authentication in Internet Banking Environment October 12, 2005
15:34:40 [beltzner]
beltzner has joined #security-ws
15:36:04 [jose-ny]
jose-ny has joined #security-ws
15:37:03 [jose-ny]
Ian: There are issues that need to be addressed in fedetation, but it's not the critical one
15:37:48 [jose-ny]
Amir H: are you considering making guidelines for mutual authentication that can be immediately used
15:38:05 [jose-ny]
Ian: The lock over the page, misusing security identifiers... those are some that could be considered
15:38:53 [jose-ny]
Chuck: the current situation is poor practice. Financial institutions are moving forward to best practice for better security. It takes time to roll it out
15:39:52 [Alan]
Alan has joined #security-ws
15:40:55 [jose-ny]
Army...(?): mobiles devices man. are announcing support for many authentication mechanisms. What does this represent a threat?
15:41:21 [jose-ny]
Chuck: The financial industry is concerned about cross-site use of information. This needs to be cleaned up
15:42:35 [jose-ny]
Army..(?): using a password management removes almost all of the phishing attacks. The password manager can detect where the information is going to be used.
15:42:50 [Alan]
attendance list
15:42:56 [jose-ny]
army (>): for the current problems this is an immediate solution
15:43:27 [djweitzner]
15:44:00 [jose-ny]
xx: there are users about password managements too. what happens when it breaks down?
15:44:27 [jose-ny]
Chuck: customer management has to be taken into acocunt in the framework
15:46:00 [jose-ny]
PhilHB: digest authentication solves many problems. It could solve the mim attack. It failed because there was no way for the user to know which kind of authentication he was using
15:47:15 [chaals-]
[PHB - make tyhe user experience better. This is actually valuable because it means we hassle the user less often about real problems, so the "just click OK to anything" effect takes longer to kick in...]
15:53:08 [jaltman_]
jaltman_ has joined #security-ws
15:54:20 [jaltman__]
jaltman__ has joined #security-ws
15:55:28 [jaltman__]
jaltman__ has joined #security-ws
15:58:11 [beltzner]
15:58:22 [beltzner]
I think that taking this model of security to a point of perfection will end up getting us nowhere
15:58:35 [beltzner]
if the user's computer is compromised, you've got an entirely different class of security problem
15:59:01 [jaltman]
that's true but it is something to keep in the back of our minds as we move forward
15:59:39 [jose-ny]
jose-ny has joined #security-ws
15:59:50 [jose-ny]
Dieter: we need to identify the weak links in the chain. For me, this is the interface between the customer and the user. Malware is really serious
16:01:08 [jose-ny]
<jose-ny> PHB: Stopping the user pain is a valid thing to do. Even if it doesn;'t redude the losses, it's worthwhile to ease the user experience
16:01:08 [jose-ny]
<jose-ny> yy: once I logged in, all of my authority is in play when I use an online trading account. The problem seems to be linkin all of the users authority on authentication. We should avoid giving all the authority once we are authenticated
16:01:08 [jose-ny]
<jose-ny> chuck: agrees in general with this comment.
16:01:08 [jose-ny]
<jose-ny> chuck: regarding multi-factor atuentication
16:01:12 [jose-ny]
<jose-ny> Dan Schuts: it's good to start thikning about authentication. We should think about moving further than authentication Authentication should be thought about from the risk analysis point of view
16:01:17 [jose-ny]
<jose-ny> s/Schuts/Schutz/
16:01:19 [jose-ny]
<jose-ny> Dan Schutz: Many of today's transactions involve delegation authority to a third-party, but it's not the full authority for everything.
16:01:22 [jose-ny]
<jose-ny> chaals: we're trying to reduce the cost to users when filling out forms. It's an expensive operation for the user
16:01:31 [jose-ny]
<jose-ny> chaals: Cookies is a soution. Automatic fform filling is similar too. Reducing the ordiinary cost to users of filling forms, answering diallgoue gives better payback from security
16:01:34 [jose-ny]
<jose-ny> Eve Maler: Many people understand authentication without authorization
16:01:36 [jose-ny]
<jose-ny> Eve Maler: How can we make a useful system for simplified authentication. The trick is to find out how to make different levels of authentication
16:01:39 [jose-ny]
<jose-ny> s/make/have/
16:01:43 [jose-ny]
<jose-ny> simple one for simple tasks, more high level security for other tasks.
16:01:47 [jose-ny]
<jose-ny> Finding the correct terminology is really important and difficult
16:01:49 [jose-ny]
<jose-ny> Ian: Password managed on the client side is fragile when the user's computer is compromised
16:01:51 [jose-ny]
--- Disconnected (Remote host closed socket).
16:01:53 [jose-ny]
--> You are now talking on #security-ws
16:01:59 [jose-ny]
--- Topic for #security-ws is
16:01:59 [jose-ny]
--- Topic for #security-ws set by DanC_lap at Wed Mar 15 14:52:05 2006
16:02:01 [jose-ny]
--- Keeper gives channel operator status to jose-ny
16:02:03 [jose-ny]
<jose-ny> Dieter: we need to identify the weak link
16:02:05 [jose-ny]
(cut and paste of missed minutes)
16:07:03 [jaltman__]
jaltman__ has joined #security-ws
16:08:41 [jaltman___]
jaltman___ has joined #security-ws
16:08:54 [peter]
peter has joined #security-ws
16:21:27 [Alan]
Alan has joined #security-ws
16:21:33 [Daniel_GoodmailSy]
<break> everybody eating and drinking
16:21:41 [weinig]
weinig has joined #security-ws
16:26:33 [vircuser]
vircuser has joined #security-ws
16:28:35 [Alan_]
Alan_ has joined #security-ws
16:41:16 [jose-ny]
jose-ny has joined #security-ws
16:48:35 [DanC_lap]
16:48:36 [DanC_lap]
16:48:36 [DanC_lap]
16:48:38 [DanC_lap]
Topic: Jeffrey Nelson, David Jeske; Google, Inc: Limits to Anti-Phishing
16:48:42 [DanC_lap]
ScribeNick: DanC_lap
16:48:49 [DanC_lap]
Jeske presenting...
16:48:56 [Mez]
Mez has joined #security-ws
16:48:56 [DanC_lap]
... he does the google login system
16:50:11 [jose-ny]
16:50:13 [DanC_lap]
Jeske: we use the same interface for high-security apps like adwords and low-security apps
16:50:15 [jose-ny]
scribenick: danc_lap
16:50:34 [DanC_lap]
... this is clearly a risk.
16:51:12 [DanC_lap]
... but even more, we're seeing little sites using google credentials to access their services
16:52:18 [beltzner]
(dns is down again)
16:52:54 [beltzner]
16:53:10 [DanC_lap]
JeffNelson: I'm also on the google accounts team...
16:53:57 [DanC_lap]
JN: we (ebay) went thru $100k learning how to manage/prevent fraud. [see quote on slide]
16:54:30 [beltzner]
beltzner has joined #security-ws
16:55:35 [Daniel_GoodmailSy]
That was $100 million, no?
16:56:05 [DanC_lap]
oops; probably so. as I say, see the slide.
16:57:38 [DanC_lap]
JN: one approach is new browser chrome with logos/trustmarks. But phishers know how to spoof all that.
16:58:02 [beltzner]
beltzner has joined #security-ws
16:59:21 [DanC_lap]
JN: to some extent, petnames [should also be in the list on ... oops... which slide?]
16:59:45 [DanC_lap]
(I wonder what to make of the "Confidential" label at the bottom of the slides, given that the proceedings of this workshop are public.)
17:00:00 [beltzner]
(you make nothing of it, since they should know that :)
17:00:35 [jaltman___]
jaltman___ has joined #security-ws
17:02:22 [DanC_lap]
JN discusses zero knowledge proof and "re-registration" attacks [not metioned on the "Weak credentials" slide]
17:03:22 [DanC_lap]
slide: "Passwords[sic] hashes are week"
17:03:55 [jose-ny]
17:05:15 [DanC_lap]
Q: how many times does google let people re-try the password dialog?
17:05:20 [DanC_lap]
A: it's a complicate algorithm
17:05:28 [DanC_lap]
17:06:29 [DanC_lap]
JN: the point is not about active password attacks, but about offline attacks on hashes; this shows you just need to do a million md5s
17:06:35 [DanC_lap]
[discussion is curtailed...]
17:08:45 [chaals-]
chaals- has joined #security-ws
17:11:31 [DanC_lap]
-- q/a
17:12:03 [jose-ny]
andy ostman (mit lincoln): is there any prefiltering of passwords to test if they are high valued ones?
17:12:04 [chaals-]
[??? I got connected...]
17:12:04 [DanC_lap]
Andy_O: about the password data... is there any filtering of the passwords to be sure you're testing the high-value passwords?
17:12:21 [jose-ny]
(lets danc_ scribe)
17:12:21 [DanC_lap]
A: no. the only thing we threw away was unsuccessful logins.
17:12:37 [DanC_lap]
... we have single-sign-on
17:13:48 [DanC_lap]
Q[whom?]: you make the point about hashes... the google toolbar sends urls over a clear channel, perhaps exposing password hashes
17:14:05 [DanC_lap]
A: good point. I'll pass that on to the folks who work on that, though I expect they're working on it.
17:14:27 [DanC_lap]
Q/Microsoft: why doesn't InfoCard score "yes" under Trusted UI?
17:14:33 [DanC_lap]
A: cuz there's no secret...
17:14:58 [DanC_lap]
Microsoft: yes, there is; I'll explain in my presentation
17:15:31 [DanC_lap]
17:15:31 [DanC_lap]
17:15:31 [DanC_lap]
17:15:42 [DanC_lap]
Topic: Drew Dean; Yahoo!, Inc: Authentication for web services
17:16:40 [DanC_lap]
- slide: A brave new world
17:18:01 [jaltman___]
jaltman___ has joined #security-ws
17:19:39 [chaals-]
chaals- has left #security-ws
17:21:20 [DanC_lap]
DD: opaque identifiers are a key to independent evolution of yahoo services and 3rd-party services
17:22:16 [DanC_lap]
Q[who?]: are these opaque identifiers authority-bearing? once i have one, can I use it to excercise rights?
17:22:23 [DanC_lap]
DD: in some cases, yes
17:22:25 [DanC_lap]
Q: in what cases?
17:22:33 [DanC_lap]
DD: perhaps on a tivo or mobile platform
17:22:45 [DanC_lap]
[not sure I got the gist of that.]
17:23:25 [DanC_lap]
DJW: I hope we can discuss the contrast between lower-case web services, aka javascript, on the one side, and the upper-case Web Services [architecture?]...
17:23:50 [DanC_lap]
17:23:50 [DanC_lap]
17:23:51 [DanC_lap]
17:24:06 [DanC_lap]
Topic: Robert W Capps II; World Savings Bank: Digital Authentication for an Analog World: Why Authentication Processes Fail and How Do We Fix Them
17:24:47 [DanC_lap]
slide: Key Concepts
17:25:39 [DanC_lap]
RC: a number of these credentials are actually public records: date of birth, etc.
17:26:19 [DanC_lap]
RC: note ATMs are an example of widely-deployed 2-factor auth. we're not exploiting that experience.
17:26:35 [DanC_lap]
- slide: Key Concepts (cont)
17:27:55 [DanC_lap]
- slide: Key Concepts (cont). The OS...
17:29:33 [DanC_lap]
RRSAgent, pointer?
17:29:33 [RRSAgent]
17:30:01 [Alan]
Alan has joined #security-ws
17:31:52 [DanC_lap]
(I wonder how much of what I typed made it into the log. previous line, repeated: - slide: Key Concepts (cont). The OS... )
17:32:07 [vircuser]
vircuser has joined #security-ws
17:32:22 [RalfCHauser]
RalfCHauser has joined #security-ws
17:33:02 [DanielDreymann]
DanielDreymann has joined #security-ws
17:34:04 [DanC_lap]
Shirvam[?]/Microsoft: when we talk of standardizing icons and such, it's great for consumers... but it's also great for phishers, no? they just need to copy one set of icons
17:34:15 [peter]
peter has joined #security-ws
17:34:22 [DanC_lap]
A/Google: this is why the secure UI has to rely on a user secret
17:35:39 [DanC_lap]
A/google[other guy]: there's work going on with vmware to have a secure part of the OS. I'm sure microsoft is doing likewise. Because right now, the attackers can spoof everything. [I must have missed part of his answer]
17:36:09 [DanC_lap]
Q: this is known as the [?] path problem. It's traditionally seen as an input. What we're seeing with the phishing situation is that an output is needed too.
17:36:19 [DanC_lap]
Q[who?]: [missed]
17:36:46 [DanC_lap]
A: [missed]
17:38:15 [chaals-]
chaals- has joined #security-ws
17:40:06 [RalfCHauser]
RalfCHauser has joined #security-ws
17:40:17 [plipp]
plipp has joined #security-ws
17:42:01 [jaltman___]
jaltman___ has joined #security-ws
17:42:44 [vircuser]
vircuser has joined #security-ws
17:44:04 [djweitzner]
djweitzner has joined #security-ws
17:46:38 [jose-ny]
jose-ny has joined #security-ws
17:48:09 [DanC_lap]
DanC_lap has joined #security-ws
17:48:34 [DanC_lap]
Q: [something about flickr and delegation]
17:48:36 [DanC_lap]
A/yahoo: I think flickr has published an API for that
17:48:43 [DanC_lap]
Q: it should be in more places
17:48:55 [DanC_lap]
A: yes, I can see the desire for a standard...
17:49:53 [DanC_lap]
A/google: yes, I can see the desire for a standard too, but anti-phishing mechanisms have to come first, since it increases phishing risks.
17:50:28 [chaals-]
s/[something about flickr and delegation]/there is a problem that there is no way to share something with a couple of people in flickr - either you hand over your password or you use one of the two pre-baked groups/
17:50:35 [DanC_lap]
Q: but if there are compelling apps, they'll just give away their whole username/password credentials if there aren't partial delegation standards. [who?]
17:51:25 [DanC_lap]
A/google: flickr is one success story, but another paypal subscription [something] is another case; but of course they're one of the top phishing targets
17:52:15 [DanC_lap]
Q:social attacks are likely to be just about as effective with partial delegation.
17:52:34 [DanC_lap]
A/google: indeed.
17:53:34 [DanC_lap]
A/google: [describes a cross-site attack on paypal]. There's no delegation there, but it's something we need to consider.
17:53:59 [DanC_lap]
Q: we're already doing delegation by mailing around URLs. Seems like we should be able to do something along those lines.
17:54:20 [jose-ny]
s/delegation/fine grained delegation/
17:54:46 [Daniel_GoodmailSy]
Daniel_GoodmailSy has joined #security-ws
17:54:53 [DanC_lap]
A/google: we'll have to think about that... [something about reducing complexity, and how doing something like RSS might work]
17:56:32 [DanC_lap]
DJW: on the trusted platform point... do you see some middle ground?
17:57:11 [DanC_lap]
A/google: the bar today is very low; a script can manipulate the dom and paint the whole screen...
17:58:18 [DanC_lap]
... something that just has a secure keyboard handle... [missed; help?]
17:58:41 [DanC_lap]
DJW: if that's a user-choice, don't we have the same phishing problem?
17:59:40 [DanC_lap]
Drew: note the WinNT password dialog has you hit ctrl-alt-delete 1st.
17:59:51 [DanC_lap]
... this is orange-book stuff.
18:00:08 [DanC_lap]
... and note x509 logo stuff
18:01:50 [DanC_lap]
Microsoft[shriram?]: the OS has lots of this stuff... Vista has [missed]... but the browser runs in user mode and this is in system mode... plus, ctrl-alt-delete doesn't integrate with forms, password managers
18:03:35 [DanC_lap]
A/google: [...] but if, for example, javascript couldn't resize the browser window, that might have a real impact
18:04:43 [DanC_lap]
Drew: years ago, with a few weeks of grad student labor, we were able to do very sophisticated spoofing. Even less sophisticated attacks are working.
18:05:53 [DanC_lap]
Q/comment[who?]: re trusted path to the password problem: one of the oldest tricks is to ask for the password, say it was wrong, and then ask again [?]
18:06:55 [DanC_lap]
Drew: indeed, trusted path implemented incorrectly doesn't solve the problem
18:07:56 [DanC_lap]
18:07:57 [DanC_lap]
18:07:58 [DanC_lap]
18:07:59 [Robert_Capps]
Robert_Capps has joined #security-ws
18:08:00 [DanC_lap]
--- Lunch
18:08:37 [beltzner]
DanC_lap: that last comment was from George Staikos
18:08:46 [Robert_Capps]
Robert_Capps has joined #security-ws
18:22:43 [vircuser]
vircuser has joined #security-ws
18:24:16 [djweitzner]
djweitzner has joined #security-ws
18:24:20 [beltzner]
beltzner has joined #security-ws
18:27:40 [vircuser]
vircuser has joined #security-ws
18:48:07 [virc2user]
virc2user has joined #security-ws
18:48:33 [jaltman___]
jaltman___ has joined #security-ws
18:49:48 [RalfCHauser]
RalfCHauser has joined #security-ws
18:51:52 [jaltman___]
jaltman___ has joined #security-ws
18:52:43 [djweitzner]
djweitzner has joined #security-ws
18:56:23 [Robert_Capps]
Robert_Capps has joined #security-ws
18:58:04 [Alan]
Alan has joined #security-ws
19:02:20 [DanC_lap]
DanC_lap has joined #security-ws
19:04:29 [peter]
peter has joined #security-ws
19:04:50 [peter]
peter has joined #security-ws
19:06:35 [chaals-]
chaals- has joined #security-ws
19:06:43 [jaltman___]
jaltman___ has joined #security-ws
19:09:05 [jaltman___]
jaltman___ has joined #security-ws
19:09:25 [beltzner]
research shows that users spend an average of 0.05s deciding if a page is trustworthy or not
19:10:23 [peter]
peter has joined #security-ws
19:13:31 [jose-ny]
jose-ny has joined #security-ws
19:13:38 [jose-ny]
scribenick: jose-ny
19:13:52 [jose-ny]
Session 3: Phil Arch: Quatro Approach
19:13:58 [jose-ny]
Slide: The Quatro Vocabulary
19:14:38 [jose-ny]
Slide: Quatro allows a TM operator to:
19:14:54 [plipp]
plipp has joined #security-ws
19:15:10 [jose-ny]
A common vocabulary provides interoperability
19:15:19 [jose-ny]
Slide: ViQ Browser Extension
19:15:53 [jose-ny]
Slide: LADI Search Engine Wrapper
19:16:19 [jose-ny]
Slide: Oh Yeah? (Semantic web button)
19:16:29 [jose-ny]
Slide: ViQ Browser Extension (cont)
19:16:35 [jose-ny]
Shows from where the metadata came from
19:16:37 [beltzner]
thsoe acronyms are meaningless, of course ...
19:16:46 [beltzner]
but I guess that's a trustmark branding issue
19:16:52 [jaltman___]
jaltman___ has joined #security-ws
19:16:55 [beltzner]
did he cover how these trustmarks aren't themselves spoofed?
19:17:24 [jose-ny]
Slide: ViQ Browser Extension (cont)
19:17:41 [jose-ny]
click on the metadata, you get more information from where it came from
19:17:53 [jose-ny]
slide: (untitled) shows back end process
19:18:07 [jose-ny]
Quapro-- quatro proxy
19:18:46 [beltzner]
(someone had to say it)
19:18:59 [Daniel_GoodmailSy]
Daniel_GoodmailSy has joined #security-ws
19:19:13 [jose-ny]
Can use digital signatures to increase the integrity of the messages
19:19:51 [jose-ny]
Slide: Trustmark use cases
19:20:14 [jose-ny]
Segala (company that does accesiblity testing)
19:22:24 [jose-ny]
search engines have shown interested to in trustmarks
19:22:28 [jose-ny]
Slide: Trustwatch
19:23:00 [jose-ny]
Slide: The Quatro PArtners
19:23:43 [jose-ny]
19:24:17 [jose-ny]
Q: Mike.. Mozilla: What is the recourse for the authentication whether a web site satisfies the (trustmark) criretria
19:24:23 [jose-ny]
A: Evaluation process
19:24:39 [Mez]
Mez has joined #security-ws
19:25:05 [jose-ny]
Q: Hav e you considered labelling a certificate as a higher level autority? Concerns about this being overloaded as not only a certification mechanism, but also authentication... Can you use if or authentication too ?
19:25:17 [jose-ny]
A: No, buit we surely are going to talk about it
19:25:18 [chaals]
chaals has joined #security-ws
19:25:54 [jose-ny]
Q: Amir H. We are considering this protocol in proxies. Have you considered standardizing a protocol to get queries about this kind of information from servers
19:26:22 [jose-ny]
A: We have a very tiny schema and light weight protocol for the moment.
19:27:07 [jose-ny]
Q: Amir H. : There are also trust and privacy issues. This protocol and issues may be something that the W3C could be interested in
19:27:10 [jose-ny]
19:28:11 [jose-ny]
Presenter: Mary-Ellen Zurko (mez) Using History, Colaboration, and Transparency to Provide Security on the Web
19:28:32 [jose-ny]
co-written with Dave Wilson from the Worplace, Portal, and Collaboration Software division of IBM
19:28:43 [GeorgeStaikos]
GeorgeStaikos has joined #security-ws
19:28:47 [GeorgeStaikos]
yay I'm online again
19:28:53 [beltzner]
19:29:21 [pecorra_]
pecorra_ has joined #security-ws
19:29:27 [jose-ny]
Slide: What I'll talk about
19:29:39 [DanC_lap]
DanC_lap has joined #security-ws
19:29:47 [jose-ny]
Will talk about reality outside of computers (third point)
19:30:00 [chaals]
rrsagent, draft minutes
19:30:00 [RRSAgent]
I have made the request to generate chaals
19:30:13 [mrowan007]
mrowan007 has joined #security-ws
19:30:20 [jose-ny]
Slide: The Problem Space
19:30:42 [jose-ny]
Attacks would be less effective if there wasn't a way to put things on the user's space (mail push)
19:31:12 [jose-ny]
scams always exploit the mistakes / assumptions that people make. An absolute solution won't exist. We can stop the flow rate, though
19:32:15 [jose-ny]
Thinks that when people say that there is a mutual authentication problem, it's more about the authentication of the web server to the user (
19:32:38 [jose-ny]
thinks that DNS domains can act as authentication authorities
19:33:44 [jose-ny]
Protections need to be moved back to the userr, as there may be many tiers, unless there is a global protection mechanism
19:33:51 [jose-ny]
Slide: Trustworthiness of web site
19:34:10 [jose-ny]
How fast does a user detect that a site can be trusted
19:34:52 [jose-ny]
These are things that security tech. cannot provide (ease of use... etc). That's why security technology has failed in this area
19:35:00 [jose-ny]
Slide: Metadata for reality based assurance of web sites
19:35:14 [jose-ny]
Slide: personal history
19:35:42 [jose-ny]
There are a number of things that a web browser can know that can help determinte the trustworthiness of the site where a user wants to connect
19:36:07 [DanC_lap]
(regarding the question of using QUATTRO style labels to make connections between CAs, that's close to some research we've done with RDF and digital signatures for a few years. . I wonder if there's any chance CAs would look outside the world of ASN.1)
19:36:09 [jose-ny]
such as how much time he has visited it, how he got there (followed a link, ...)
19:36:17 [jose-ny]
Is that site bookmarked
19:36:34 [jose-ny]
(this was done in annotea)
19:37:00 [jose-ny]
If the site was previously authenticated, has this info changed? Same password, ip addresses, same kind of cookies?
19:37:07 [jose-ny]
Did we posted data to it previously?
19:37:58 [jose-ny]
Slide: History of others with personal connections
19:38:26 [jose-ny]
suppose we do some or all of those process. One of the big problems will be the bootstrap problem
19:40:09 [jose-ny]
When you have information about people's other public-keys, you can make a web of "friends" from that. You can then use those public-keys to trust web sites
19:40:23 [jose-ny]
Slide: Mediators and Authorities
19:40:45 [jose-ny]
if you don't have the possiblity of making a web of friends thru key exchange, you can use mediators and authoritires
19:40:57 [jose-ny]
not warm towards this approach
19:41:22 [jose-ny]
which servers you may tust?
19:41:41 [jose-ny]
slide: in summary
19:42:02 [jose-ny]
Metadata tied to personal history can combat large categories of scam, the ones we care about right now
19:42:18 [jose-ny]
Integrration with mail infrastructure could provide extra benefits
19:43:13 [jose-ny]
Classic usability techniques can help fight against scams too. We should add a strong requirement to do usability testing on this kind of solutions before deploying it
19:43:20 [jose-ny]
otherwise, it may not work
19:44:16 [jose-ny]
There always be a gap where human ingeniuity crosses human naivete, but we will have to live with this. At least make this gap as small as possible
19:44:31 [jose-ny]
Q: Fred. Hirsch: (missed it)
19:44:44 [jose-ny]
A: If there is a place where you can trust gathering, this schema may work well
19:45:13 [jose-ny]
All the personal information that was mentioned is already available on the desktop
19:45:39 [jose-ny]
If we can find a way to only share data with people we trust, this will take care of a big part of scams
19:47:00 [jose-ny]
Q: Jeff (Google) History can be used as a facilitator for the attacker (javascript security model). Making history usabl;e as a preventive mechanism will also be tricky. The API that would make this info available could also be available to misuse it
19:47:09 [jose-ny]
A: Agreed with the point
19:47:43 [chaals]
[depends whether the API *does* make history available]
19:48:31 [jose-ny]
Speaker: TRansparency and Usability of Web Authentication Kenneth L Wright II Electronic Fraud Analys World Savings Banks.
19:49:42 [jose-ny]
Slide: FFIEC as a starrting point
19:50:11 [jose-ny]
19:50:17 [jose-ny]
slide: Mutual authentication
19:50:25 [jose-ny]
we want to make sure that a site is safe for the consummer
19:50:33 [jose-ny]
Consummers feel safe with trusted channels
19:50:54 [jose-ny]
19:51:08 [jose-ny]
Slide: Personalized web experience
19:51:58 [jose-ny]
Would like to see personalized personalized color schemes, phrases, ... anything that will allow a user to have trust on a server... for raising the awarenes on what is a spoofed site or not
19:52:08 [jose-ny]
history of transactions etc.
19:52:23 [jose-ny]
This will create a reverse channel of biometric information
19:52:35 [jose-ny]
Not sure how this may be done, but this is what would make my life easier
19:52:48 [jose-ny]
Slide : Low Level Authentication
19:53:07 [jose-ny]
slide shows a web ssite that just displays a name and an email
19:53:12 [jose-ny]
Slide: Mid-level authentication
19:53:36 [jose-ny]
site proposes personalized indicators (visual, audio, ...)
19:53:42 [jose-ny]
High level authentications:
19:54:06 [jose-ny]
session timers, transaction history, security checklist (you have to complete these steps before giving your credit card numnber)
19:54:26 [jose-ny]
figure shows personal interaction items in the page
19:54:31 [jose-ny]
Slide: Conclusion
19:54:49 [jose-ny]
Personalize experience for the end-user
19:55:00 [jose-ny]
consitent authentication across the web
19:55:14 [jose-ny]
better placement of fraud tips and info
19:55:22 [jose-ny]
19:55:26 [jose-ny]
19:55:55 [jose-ny]
Q: Shivaram Mysore (microsfot): We store lots of information. This can cause lots of grieve./ I'm providing the bank more information than I want...
19:56:15 [jose-ny]
A: I agree. It's like choosing one's own poison. Do you want to provide it or not?
19:56:55 [jose-ny]
Q: Don Schutz: If I have a trojan inside the PC, all this stuff doesn't work anymore.
19:57:05 [beltzner]
I wish people would stop bringing up the trojan-in-the-pc thing
19:57:18 [beltzner]
it's laced with horrible stop-energy
19:57:19 [jose-ny]
A: Yes. My perspective was that a computer was safe
19:57:25 [beltzner]
baby steps, people
19:57:33 [jose-ny]
Q: You don't need to have a trojan in order to exploit this information
19:58:07 [jose-ny]
A classic MIM attack will weaken it, while giving the user a false sense of information
19:58:18 [beltzner]
fine, so put these signals in email communications from corporations
19:58:34 [jose-ny]
A: I didn't take into account this attack in my presentaiton
19:59:04 [jose-ny]
Q: phishing sites are looking for names and passwords
19:59:21 [jose-ny]
Just the user name is not enough... MIM attack
20:01:21 [jose-ny]
Q: Mike (Mozilla) It could be the three cups of coffee and a bottle of pepsi.. what we want to take away from the cat's paw are the emails that are impersonatiing someone. By making it harder to forge these trusted emails, we can already avoid these attacks
20:01:34 [jose-ny]
It is not a final solution, but there are points that we should take into account
20:02:15 [jose-ny]
Q: Ian (C-Mellon). How can we go even better to avoid forged mails? Phishing mails are getting better and better
20:03:10 [jose-ny]
A: Smaller financial situations are starting to experience phishing and their customers are unaware of them. Contrast these with the bigger enterprises. A standardized, better way of presenting this notify info to users could already help
20:03:49 [jose-ny]
Q: Amir H: If we know a site that is known, we can build a secure channel to the server using its public-key
20:04:45 [jose-ny]
A different problem is how to idenfity a web site that doesn't provide misleading information? How to make the server provide secure information thru a secure channel?
20:05:52 [jose-ny]
Q: PHB: We're dealing with internet crime. We need a different kind of approach to it compared to trad. one. There is no one single system that can provide a complete solution. A response center can be part of the solution. This infrasutrcture is already deployed and banks are using it
20:06:50 [jose-ny]
Giving a reasonable cost to an attacker will make this attacker shift his sight elsewhere
20:07:58 [jose-ny]
Q: Dan Schutz: Having a secure channel removes all the MIM attacks. We have taken steps together to understand the moving parts. We should now think about a roadmap that integrates these solutions
20:08:05 [jose-ny]
20:08:07 [jose-ny]
General discussion
20:08:26 [pecorra_]
pecorra_ has joined #security-ws
20:08:43 [jose-ny]
MeZ: Lack of imagination on how people will solve the problem of virus and trojans, but admires them
20:10:03 [chaals]
[Google knows how many times I went to a site?!?!?!?!?!]
20:10:12 [beltzner]
20:10:23 [beltzner]
[it knows how many times you clicked on a site after searching for something]
20:10:27 [beltzner]
[if you sign in with your google ID]
20:10:32 [beltzner]
[when you search]
20:10:34 [beltzner]
20:10:35 [beltzner]
20:10:51 [chaals]
[oh. OK, that seems more reasonable]
20:11:13 [jose-ny]
DJW: Mez, you suggested that if you actually personal history metadata... collaborative metada and applications have always been cool on the web. Do you think that can be part of a solution?
20:11:50 [jose-ny]
A: MeZ: yes .. maybe in the family, personal, enterprise scope. You could leverage this information. It may not scale well outside
20:12:14 [jose-ny]
A: Phil Archer: Shared bookmarks may help. Passing URLs to the family may help
20:12:17 [jose-ny]
20:12:36 [jose-ny]
In social networking people want to share things to communicate
20:13:17 [jose-ny]
Q: Mike Mozilla. A lof of these metadata systems are based that people will only visit them after having been there once or twice
20:14:20 [jose-ny]
A: Mez: You're right. Personal history may help to counterattact many scams. The bootstrapping problem is usual
20:14:41 [vircuser]
vircuser has joined #security-ws
20:14:50 [jose-ny]
q: Fred Hirsch: Collaborative work may work against you. Someone gave mr a link, went there, it looked like a scam in the end and the effect was multiplied
20:15:04 [jose-ny]
A: Mez: thinks that collaboration may have a better effect than side-effect
20:16:20 [jose-ny]
Q: What are the practical guidelines that W3C can give to web sites to develop better practices
20:17:00 [jose-ny]
A: Mez: It's hard to imagine what may be done. Not sending email doesn't seem like an alternative. One has to take into account scaling problems
20:17:48 [jose-ny]
A: Phil Archer: Semantic web activity is not based on trust right now. We can have multiple source of datas all talking about the same resource
20:18:44 [jose-ny]
we don't know which one we may trust... if you promete lots of stuff, the bad stuff would be pushed away compared to the good information that we will have
20:19:34 [jose-ny]
Q: (RSA) ...
20:19:49 [jose-ny]
(beltzner, care to rephrase this question? I didn't get the beginning yet)
20:20:28 [jose-ny]
The attacks on social systems won't be immediate, but may be built over time. Smart attackers are not necessary going to be greedy
20:21:14 [beltzner]
jose-ny: oops, I only listened to the answer, but I think it was in answer to the Q about practical guidelines
20:21:34 [jose-ny]
Q: Amy (Technion): Seems that we want to minimize 4 positives. Institutions are loosing confidence on institutions. The icons and so on can build trust, but they don't really solve the phishing problem.
20:21:37 [jose-ny]
20:22:09 [jose-ny]
A: Mez, it'll be a step towards imrpovement
20:23:26 [jose-ny]
Q: A Jeff. Altman: Maybe the best solution would be to just say "there's information waiting for you at your *bank*, without putting any links, anything. The users would know where it is... users should know where their web site is already
20:23:39 [jose-ny]
People who are making these attacks don't look shorter, but longer term
20:24:13 [jose-ny]
I'd think very carefully about what kind of info we would put out... take into account privacy and long-term accounts. Avoid sending info on the clear
20:24:45 [jose-ny]
A: Mez. The message about never sending URLs could work as a best practice... (missed end of remark)
20:26:38 [jose-ny]
Q: Lisa. Many of these solutions can move to an arms race, where mimicks will try to get the upper-hand. Anything that is just another step on the arms race is going to cost the scammers, but will cost more the users. After a few times it will become much more expensive to follow up and have trust on it
20:27:41 [jose-ny]
Q: Amir. Saying that a bank image doesn't provide any link to a bank system could be good. It would be better if this link will open a secure channel and this would be the only way to contact the server
20:27:57 [jose-ny]
Labelling and ratings are very good ideas. Suggests they are done for public-keys and not just for ratings
20:28:41 [jose-ny]
A: Danny ... goodmail systems. Not enabling links in messages is a no-starter for marketting messages
20:29:07 [jose-ny]
one should not look at the transaction messages just separately
20:30:05 [jose-ny]
Q: Mike Mc... Another problem that banks are trying to solve are secure mail and crypto mail. S/mime is good, but doesn't provide anything against links... two worlds colliding
20:30:12 [Daniel_GoodmailSy]
Daniel_GoodmailSy has joined #security-ws
20:30:45 [jose-ny]
Q Dan Schutz: We can tell our customers our messages never have links
20:30:56 [jose-ny]
RRSAgent, draft minutes
20:30:56 [RRSAgent]
I have made the request to generate jose-ny
20:31:40 [jose-ny]
A lot of scams exploit this infrastructure
20:31:43 [jose-ny]
RRSAgent, draft minutes
20:31:43 [RRSAgent]
I have made the request to generate jose-ny
20:31:55 [jose-ny]
--- cooffee break ---
20:32:45 [jose-ny]
20:49:23 [RalfCHauser]
RalfCHauser has joined #security-ws
20:53:25 [peter]
peter has joined #security-ws
20:53:29 [Daniel_GoodmailSy]
Daniel_GoodmailSy has joined #security-ws
20:58:27 [RalfCHauser_]
RalfCHauser_ has joined #security-ws
20:59:31 [jaltman___]
jaltman___ has joined #security-ws
21:03:53 [tlr]
tlr has joined #security-ws
21:04:07 [tlr]
We'd need a volunteer to scribe. Any takers?
21:09:47 [tlr]
Scribe: beltzner
21:09:50 [tlr]
Thanks Mike
21:14:25 [beltzner]
21:14:37 [beltzner]
Tyler Close, HP, Petname Tool
21:14:50 [beltzner]
Slide: overview of 10 minute talk
21:15:36 [vircuser]
vircuser has joined #security-ws
21:15:59 [djweitzner]
djweitzner has joined #security-ws
21:16:21 [beltzner]
Slide: Which is the spoof?
21:16:53 [beltzner]
shows two screenshots, they look identical (one is - there's a 1px difference
21:17:03 [beltzner]
can be 0px
21:17:49 [beltzner]
Slide: Now, Which is the spoof?
21:17:53 [chaals]
[If you were using Opera you would have information about the certificate as well... :P]
21:17:59 [beltzner]
petname tool makes it easy
21:18:02 [beltzner]
[hush, you]
21:18:19 [beltzner]
21:19:22 [beltzner]
petname provides semantic data that is provided by user to give them a reference that is unspoofable
21:19:27 [chaals]
[welll, if you got a certificate for Paypai Inc. registered in the US, you would still only have one extra pixel...]
21:19:30 [beltzner]
Slide: User training message
21:19:54 [beltzner]
Slide: States
21:20:38 [beltzner]
petname has three states: no SSL (disabled), SSL but not yet annoteated, SSL and annotated
21:20:48 [beltzner]
[my typos are brutal! typing in the blind, here]
21:21:08 [jose-lap]
jose-lap has joined #security-ws
21:21:09 [beltzner]
implementation is actually just bookmarks
21:21:39 [jose-lap]
scribe-nick: beltzner
21:21:52 [chaals]
Present: See The Program
21:22:15 [beltzner]
bookmarks created in a "petname" folder, named with the annotation from the user
21:22:42 [beltzner]
would like to tie in password generators to this functionality, such that user never knows the passphrase
21:23:39 [beltzner]
[yeah, I think he stated that limitation up front, but it's a biggie; could use a portable profile on a USB key,mebe?]
21:24:07 [beltzner]
[I wonder what happens when referrer codes are in that URL]
21:24:12 [jose-lap]
(or a la delicious shared bookmarks?)
21:24:20 [peterl]
peterl has joined #security-ws
21:24:40 [beltzner]
petname provides a way of indicating an ongoing relationship with the site
21:24:56 [beltzner]
[overall I like this signal, though]
21:25:13 [chaals]
[yeah, me too]
21:25:59 [beltzner]
Q: Ian Fette, CMU. Any tests with users? What happens when users see "untrusted"?
21:26:48 [beltzner]
A: Tool available for download for >1yr, over 7500 users, frequent feedback via email, no formal user study
21:34:49 [beltzner]
Q: Drew Dean, Yahoo: how do you distinguish the site?
21:34:49 [beltzner]
A: Hash of the CA public key and the distinguished name in that cert
21:34:49 [beltzner]
Q: (cont'd): so renewals cause the system to fail?
21:34:49 [beltzner]
A: Yes, but that's a limitation of the CA infrastructure
21:34:49 [beltzner]
Q: John Lynn, RSA: do you see this as a potential creator of bad habits? Since the default is "untrusted" and people might just think "oh, but I do trust this site"
21:34:52 [beltzner]
A: Yes, so it's important to get the user at the first point of interaction. I have a proposal where the hash of the public key is embedded in the URL so that the browser knows to trust that first interaction. Could compare against other public key hashes from the wild to get a reasonable measure of confidence.
21:34:57 [beltzner]
Q: Terry Hayes, AOL: curious about the link between password manager and this approach; if one creates a name when one registers at the site, that's a strong tie in.
21:35:00 [beltzner]
A: Yes, absolutely. Worst case scenario is that you've created a new password that's useless to the phisher.
21:35:03 [beltzner]
Amir Herzberg, Bar Ilan University, Safe Browsing for Dummies
21:35:06 [beltzner]
Slide: Current browser expect users to ...
21:35:08 [beltzner]
[damned network]
21:35:28 [weinig]
weinig has left #security-ws
21:35:33 [beltzner]
users don't notice existing security indicators
21:35:42 [beltzner]
nor do they understand SSL/PKI/CAs
21:36:21 [beltzner]
Slide: What went wrong? How to fix?
21:37:29 [beltzner]
avoid jargon and technical details, and focus on user-familiar terms
21:37:38 [beltzner]
focus on name of site and name of CA
21:38:54 [beltzner]
Slide: TrustBar: site identification widget
21:39:08 [beltzner]
uses logos as well as text
21:39:14 [beltzner]
right in the menubar
21:39:16 [beltzner]
21:39:31 [beltzner]
Slide: Soon in IE7
21:39:51 [beltzner]
IE7 will have siilar strategy, but no logos and ony for extended validation certificates
21:41:07 [beltzner]
Slide: SSL certificate Validation
21:45:02 [beltzner]
Slide: Requiring Stronger Certification
21:47:33 [jose-lap]
(to norton.. or to xkms?)
21:48:08 [beltzner]
Slide: single-click login
21:49:44 [beltzner]
Slide: single-click login with TrustBar
21:50:49 [beltzner]
[remote/roaming profile?]
21:51:13 [chaals]
[how do you use this in an internet cafe?]
21:51:23 [beltzner]
Slide: defending against malicious attacks]
21:51:48 [beltzner]
[I saw it, fwiw]
21:52:37 [beltzner]
Slide: current mal-content defenses
21:53:28 [vircuser]
[If you are in an internet cafe and you log into your bank account you have a lot more to worry about, hardware keystroke logger for example]
21:53:36 [chaals]
21:53:38 [beltzner]
[dude behind you with a club ...]
21:53:49 [chaals]
21:54:31 [beltzner]
Slide: conclusions
21:54:48 [chaals]
[but neither of those possibilities stop people from using secure material on shared machines. And there are places where shared access to machines is the norm, not the exceptional case]
21:54:50 [beltzner]
21:55:51 [beltzner]
Q: Mike Mcormick: Could you elaborate on the public protest certs? That sounds like a can of worms if I can revoke your certs.
21:56:53 [beltzner]
A: It's a limited time protest, checking them is pretty easy, similar to trademark system. Of course, this does open up DDoS vector. Can be solved by requiring cash deposit, though.
21:57:50 [beltzner]
Q: Ian Fette, CMU. I'm also worried about the CA extended validation cert, as they might price SSL out of the reach of many users.
21:58:05 [beltzner]
(VeriSign interrupts to remind us that this might not be the case)
21:58:34 [beltzner]
Q: (cont'd) A few weeks ago about how a store and a bank had the same name, how do youresolve these disputes?
21:59:50 [beltzner]
[I can't find an answer in what he's saying - anyone else?]
22:00:33 [beltzner]
A: we stay out of that, leave it to the legal system (ish, sorta, kinda()
22:00:36 [beltzner]
22:00:45 [GeorgeStaikos]
this seems really backwards to me
22:01:07 [GeorgeStaikos]
you have to have every company in the world watch who is getting certificates 24/7 and try to catch any case that conflicts with their interests?
22:01:12 [beltzner]
Sebastian Gajek, Amahad-Reza Sadeghi, Client Authentication in a Federation Using a Security Mode
22:01:14 [GeorgeStaikos]
-> does not scale
22:01:24 [beltzner]
[Geroge, right, and it's why I don't like ext-valid certs :)]
22:01:35 [beltzner]
[nyah, nyah]
22:01:39 [GeorgeStaikos]
not to mention that CAs probably dont' want to release their customer list before they finalize the issuance
22:01:43 [beltzner]
Slide: Problem
22:01:47 [beltzner]
Slide: Terms
22:02:13 [GeorgeStaikos]
beltzner: maybe the onus needs to be on the CA instead, and enforced
22:02:56 [beltzner]
Slide: what is security mode
22:03:58 [beltzner]
Slide: case study, tampering
22:04:35 [beltzner]
Slide: cae study, transparency
22:05:57 [beltzner]
Slide: providing security requirements in browser model
22:06:24 [beltzner]
SSL is actually a three pary protocol, with the browser as a party
22:07:26 [beltzner]
SSL is actually a three pary protocol, with the browser as a party (2)
22:07:39 [beltzner]
Slide: case study, proving security requirements (2)
22:07:43 [beltzner]
22:07:51 [beltzner]
[taking notes in the blind is harrrrd]
22:08:21 [beltzner]
Slide: candidate solution I: secure mode browser
22:10:34 [beltzner]
Slide: example of "online-banking browser"
22:11:48 [beltzner]
Slide: candidate solution II: PERSEUS
22:11:58 [beltzner]
goal is to prevent mail-web phishing
22:12:27 [beltzner]
lets user run browser in a completely isolated OS environment, preventing malware attacks
22:12:36 [beltzner]
Slide: summary
22:12:52 [beltzner]
more info at
22:14:06 [beltzner]
Q: Amir Hertzberg: Protection from malware coming from websites, not from on the machine, right?
22:14:17 [beltzner]
A: the goal is to prevent malware from ever being installed in the first place
22:15:40 [beltzner]
Q: jeff, Google: following up on trusted computing, do you deal with JS and active content?
22:16:08 [beltzner]
A: to avoid these sorts of attacks, we prefer to go into a limited browsing mode
22:16:24 [beltzner]
A: two different technologies: trusted computing, anti-active-scripting attacks
22:16:27 [beltzner]
22:17:07 [beltzner]
Phillip Hallam Baker, Verisign, Secure Letterhead
22:18:05 [beltzner]
Slide: we're not in kansas anymore
22:18:16 [beltzner]
(not taking slide notes anymore)
22:18:42 [beltzner]
secret service now laying charges against fraudsters
22:19:33 [beltzner]
currently in the whack-a-mole business
22:19:42 [beltzner]
want to be playing chess, and be several moves ahead of the bad guys
22:21:03 [beltzner]
focus will be (for this talk) on disrupting the social engineering attack
22:21:14 [beltzner]
big deficit is in the outbound communication from companies
22:21:41 [beltzner]
multiple approaches: layered security, cryptography, law enforcement
22:22:06 [beltzner]
w3c is best positioned to assist with user interface portion of this
22:22:43 [beltzner]
goal is to ensure that a message from X is authentic
22:23:27 [beltzner]
site identification curently done by DNS, which was designed as a _location_ mechanism
22:25:26 [beltzner]
proposal is to split identification from location and leverage SSL certs to do so
22:26:47 [beltzner]
[was it really? I thought it was to encapsulate a public key ...]
22:27:19 [beltzner]
[what is a "high assurance" CA?]
22:30:18 [Robert_Capps]
"high assurance" = an excuse to charge more
22:31:15 [beltzner]
[gentle, gentle ;)]
22:31:56 [beltzner]
[although this is the part of the CA pitch that I dislike: hey, can you differentiate us for our market, browser makers?]
22:32:41 [beltzner]
Q: Charles, Opera. Like the idea, but I've also tried to claim insurance before, and know that's difficult to do ... why would this be any different?
22:33:14 [beltzner]
A: Yes, that's an issue. But the insurer doesn't work in an environment where a single default turns up on the WSJ.
22:34:25 [beltzner]
A: We're in the blogosphere, and reputation is easily damaged. It's a matter of record that VeriSign has issued certs to spoofers - our process was defeated through our own error. But we revoked as soon as we knew and informed the public.
22:34:51 [beltzner]
Q: (follow-up) So risk-exposure for us as the browser is that we get blamecasted for the CA's screw-up
22:35:53 [beltzner]
A: I agree that we need to work these things out, like response times, and support for various issues and ...
22:36:49 [beltzner]
Q: Dan Connolly, W3C: It looks like you're willing to accept chrome attacks and write that off as a cost of business
22:37:20 [beltzner]
A: I'm presenting a protocol, and assuming that the lower levels in the stack will support us. I would hope that a browser implementing secure letterhead would provide some sort of chrome protection.
22:38:37 [beltzner]
A: The idea isn't for total coverage, but to secure the user with an up to date browser that's outside a botnet
22:39:00 [beltzner]
Q: Chuck Wade, wanted to follow up on the comment about community logo.
22:39:39 [beltzner]
A: Two uses for community logo; 1. Affiliate networks. 2. Different communities within networks of trust.
22:40:49 [tlr]
tlr has joined #security-ws
22:41:05 [beltzner]
22:41:07 [beltzner]
Panel Time!
22:41:35 [beltzner]
Q: Tim Fette, CMU: For Phillip, assuming that all the technical stuff is in place, how do you get across to the user "Signed by VeriSign"?
22:42:12 [beltzner]
A: Phillip, One of the consequences is that it means the nature of the game changes, and that becomes the responsibility of the CA. This will require investment, just like VISA and M/C do today.
22:42:59 [beltzner]
A: VISA, M/C are a good analogy, as they don't have contact with the public directly, but through member banks
22:43:29 [beltzner]
Q: Tyler, But it's always been possible to identify the CA, so what makes this different?
22:45:03 [beltzner]
A: It's been possible, but not discoverable. Because it's buried, it's not being used. Also, it's not using our existing prediliction for brands and logos.
22:45:19 [beltzner]
[he took a taxi? am I the only one taking the MTA?]
22:46:45 [beltzner]
Q: ???, A lot of the proposals today are based on people always using a single machine, but there is a lot of our user base who must use 1..n machines and doesn't have a single store for this information. Second comment, evidence shows that users don't pay attention to the user chrome, so it's not clear to me that adding information there won't help us.
22:47:43 [tlr]
[We'll not close sharp at 6, but maybe 10-15 minutes later.]
22:47:52 [tlr]
[I'll probably have to take up the "who are you" routine again.]
22:48:30 [beltzner]
A: (Amir) Agree, and TrustBar trivially supports many of these issues for mobile/multiple system users, and there's ways of doing this for single sign on as well. Second point, additional tests should be done, as our tests show a substantial increase with TrustBar. The issue might be expectations.
22:49:22 [RalfCHauser_]
RalfCHauser_ has joined #security-ws
22:49:43 [beltzner]
A: (Tyler) Existing studies don't take into account the interaction patterns. What I take from this is that passive indicators have questionable benefit. Interactive indicators might be more noticeable.
22:50:37 [beltzner]
A: (Tyler) change the login ceremony to involve these indicators
22:51:20 [beltzner]
A: (Philip) On the point about the mobile user, that's one thing that's nice about secure letterhead, all it needs is display, not user context
22:51:26 [Robert_Capps]
Robert_Capps has joined #security-ws
22:53:32 [jose-lap]
rrsagent, draft minutes
22:53:32 [RRSAgent]
I have made the request to generate jose-lap
22:55:33 [beltzner]
Q: George Staikos, KDE, This panel has had a lot of proposals for in-browser implementation. I think using CA/site brand is a great tool for building user recognition. I'm not sure that it will have the opposite effect in the case where the CA fails to meet its obligations. I'm not sold on putting logos in the chrome. Also, all these bits of real estate in the chrome will be competing for user attention, we can't put too much in, and once it's in, it's
23:04:33 [beltzner]
Q: If CAs are judged by how quickly they revoke certs, why would I choose the one that would revoke quickly?
23:04:40 [tlr]
(Stuart Schechter)
23:05:19 [beltzner]
A: to be the best possible CA to the relying party, you need to beat up your customers. Some CAs compete on how easily a cert is issued.
23:05:26 [tlr]
23:07:30 [beltzner]
tlr: I'm losing steam here, can you take over?
23:07:43 [beltzner]
or can someone else?
23:07:55 [tlr]
Someone else, please -- I don't have much steam left.
23:08:02 [tlr]
Anyway, we're adjourning in 2 minutes.
23:08:03 [beltzner]
I nominate GeorgeStaikos!
23:08:28 [GeorgeStaikos]
beltzner: I did my tour of duty a few weeks ago
23:08:35 [tlr]
(Thanks a lot, Mike, for scribing.)
23:08:51 [beltzner]
(glad to help)
23:09:19 [Mez]
customers can choose a CA brand (this is an A to a Q?)
23:09:34 [Mez]
Q: all chrome can be a phishing vector
23:10:00 [Mez]
A: were not concerned about real estate
23:10:11 [Mez]
[I'd be flayed alive by my colleagues if I ever said that]
23:10:51 [Mez]
A: browsers taking measures to prevent attacks make these mechanisms good
23:11:16 [Mez]
Q: CA rep of that mountain whatever thingy
23:11:47 [GeorgeStaikos]
23:11:54 [GeorgeStaikos]
(Kirk Hall)
23:11:56 [Mez]
A: geotrust guy - it was just a test, and they owned the domain. Conflating name similiarity with right to own the domain.
23:12:22 [Mez]
tlr says rights to domain name out of scope of this ws
23:12:34 [GeorgeStaikos]
23:13:29 [Mez]
Mez has left #security-ws
23:23:12 [tlr]