12:44:15 RRSAgent has joined #security-ws 12:44:15 logging to http://www.w3.org/2006/03/15-security-ws-irc 12:44:59 Ian_Fette_CMU has joined #security-ws 12:45:52 Keeper has joined #security-ws 12:50:34 DanC_lap has joined #security-ws 12:53:24 RalphS has joined #security-ws 13:10:45 ralphs, thanks 13:23:56 Alan has joined #security-ws 13:26:11 DanielD has joined #security-ws 13:33:36 Alan has joined #security-ws 13:33:44 http://www.w3.org/2001/01/cgi-irc 13:39:55 scribenick: jose 13:40:08 scribenick: jose-ny 13:40:18 rrsagent, where am I? 13:40:18 See http://www.w3.org/2006/03/15-security-ws-irc#T13-40-18 13:40:18 Phil has joined #security-ws 13:41:49 beltzner has joined #security-ws 13:42:17 Introduction: Gary Worth, CitiGroup 13:44:37 Dan Schutzer: Financial Services Consortium (?) 13:45:07 Concerned about vendor authentication on the web, and authentication of users 13:45:35 requirement is to have mutual authentication 13:46:39 they have requirements, but need to work with customers and vendors so that the infrastructure is trusted, easy to use and integrate 13:46:56 Danny Weitzner (W3C) 13:47:21 This WS is the second act of the w3c anf financial services working together 13:47:54 first round of requirements led to xml-sig, xml-enc and xkms 13:48:28 The hope is to get a clear set of requirements from this WS 13:49:03 Alan has joined #security-ws 13:49:27 DJW: consider that we're not considering just browsers on computers, but on any mobile device 13:50:11 DJW: W3C has workshops because it's a pretty unique opportunity to develop consensus on an area of work that can be interested, what are the common threads and where we can get some useful work done 13:50:11 chaals has joined #security-ws 13:50:44 jaltman has joined #security-ws 13:50:46 vircuser has joined #security-ws 13:50:47 DJW: standard UI wasn't thought to be the solution, but a lack of shared UI metaphors for security has been identified as a weakness 13:50:54 DanC_lap has joined #security-ws 13:51:27 DJW: We have a critical mass of people here. We should not aim at solving every problem, but try to identify short term, quick term solutions that we can get together on. Try to avoid having a long-time rec. creation 13:52:05 DanC_lap has changed the topic to: http://www.w3.org/2005/Security/usability-ws/ 13:52:10 peter has joined #security-ws 13:52:36 --- 13:53:30 (is there a registration results page?) 13:53:38 (Introductions of everyone in the room and their motivations... skipped) 13:53:46 - Mike B Mozilla 13:54:08 ff2 end of year 13:54:34 if not sooner 13:54:48 http://wiki.mozilla.org/Firefox2 if anyone wants to see the plans 13:54:49 ? from Yahoo 13:54:56 ? from Harvard 13:54:56 Naveen 13:54:59 Phil has joined #security-ws 13:55:11 Drew Dean from Yahoo 13:56:06 steve has joined #security-ws 13:56:33 I guess http://www.w3.org/2005/Security/usability-ws/papers/ has all the names 13:56:43 but it doesn't have affiliations :-( 13:56:56 Nelson, Google 13:57:13 Charles McCathieNevile, Opera software. Opera's chief standards officer, fascinated by security and trust (Yngve P is our real paranoiac - I am like the drummer hanging around the musicians). Looking for long-term work to get underway - we have started a bunch f short-term work among browser groups already, and welcome feedback on that 13:57:47 virc2user has joined #security-ws 13:58:46 ... Opera runs across mobile platforms, TVs, and various other platforms as well as desktops, and we want stuff that works for users in all those environments 14:00:31 vircuser has joined #security-ws 14:00:44 LisaDu has joined #security-ws 14:02:39 The wireless connection is a bit flaky, people keep apearing and disappearing 14:05:20 that was a very good point, sad to have missed the name 14:05:46 Dieter Bard 14:06:35 jaltman_ has joined #security-ws 14:06:38 DanC_lap has joined #security-ws 14:06:40 chaals: you and I should just set up court off to the side :) 14:07:05 - Andy Ozment MIT Lincoln Laboratory 14:07:24 - Daniel J. Weitzner W3C/MIT 14:07:36 Mez has joined #security-ws 14:07:36 - Peter Lipp IAIK, Graz University of Technology 14:08:02 - Ami Grynberg Protecteer, LLC 14:08:33 PHB: We want something that reduces the return to the bad guys - doesn't have to be perfect, we're trying to make stuff better 14:08:39 - Daniel Schutzer FSTC (Financial Services Technology Consortium) 14:09:21 PHB: I'm interested in federated identity and such, but perhaps more: authentication of the bank/service _to_ the user; I think that's a hole that needs filling 14:09:38 - Shivaram Mysore Microsoft Corporation 14:10:04 - Amir Herzberg Bar Ilan University 14:10:34 Danny has joined #security-ws 14:10:56 - Chuck Wade Financial Services Technology Consortium (FSTC) 14:10:56 Better Mutual Authentication Project 14:11:32 - Frederick Hirsch Nokia 14:11:46 - Tim Moses Entrust Inc. 14:12:00 acting chair of CA browsing forum 14:12:36 - Daniel Dreymann Goodmail Systems 14:13:42 - John Merrells Sxip Identity 14:14:07 ... there's a DIX WG in IETF 14:14:21 (I also forgot to mention that I'm W3C's liaison to IETF) 14:14:39 [missed one] 14:14:53 - John Linn RSA Laboratories 14:14:58 peter has joined #security-ws 14:16:08 - Kenneth Wright II Kenneth Wright II 14:16:09 Electronic Fraud Research 14:16:09 World Savings Bank, FSB 14:16:32 (that was Kenneth, not Robert, right?) 14:16:37 grandma... 14:16:38 jose-ny has joined #security-ws 14:16:52 - Mary Ellen Zurko IBM Software Group 14:17:19 steveB has joined #security-ws 14:17:45 - Moti Yung RSAsecurity Inc. 14:18:14 - Robert Capps World Savings Bank, FSB 14:18:36 (anybody got a pointer to that multi-factor auth advice? I suppose it's cited from various position papers?) 14:18:39 [for the record, a comment from Johan Hjelm in the ubiquitous web workshop (which had a lot of push for security). "Users don't care at all about privacy and seecurity - they are not interested. Until something breaks, and then they get *very* unhappy"...] 14:18:49 - George Staikos KDE 14:19:34 - Michael Rowan GeoTrust 14:19:56 - Chris Bailey GeoTrust, Inc. 14:20:08 - KIRK HALL GeoTrust 14:20:34 - Phil Archer ICRA 14:21:09 Phil Archer, ICRA, an industry-funded charity working to make the Web safer for children 14:21:11 [the view really is stunning] 14:21:34 GeorgeStaikos has joined #security-ws 14:22:13 --- First presentation 14:22:22 Topic: Requirements, Fette 14:22:24 Is it acceptable to invite people from our organizations who are not present at the meeting to this irc channel? 14:22:31 Ian Fette: Web Security Requirements: A phishing perspective: What is usability, how are we failing? 14:22:56 The phishing problem: It's easy to fake a page and collect user information 14:23:27 hmm... good question, GeorgeStaikos ... does anybody in the channel object to lurkers from outside the room? should I put the question to the room, or ask tlr to? 14:23:35 slide: showing a survey that requests for information 14:23:59 (is it safe to assume that the slides will be part of the workshop proceedings? do you know, jose?) 14:24:01 what does it mean for security ot be usable, what security features dowe currently have.. how we have failed, succeded... 14:24:11 danc_lap, yes 14:24:21 and afaik, tlr said this irc channel is public 14:24:33 ok 14:24:33 but people from outside the ws should not post questions here 14:24:47 (unless we have an open session) 14:24:50 yeah the channel is not hidden 14:25:07 jose-ny: in order to prevent that, we would need to have a moderator 14:25:37 gerogestalkos: let's ask tlr at the break (trying to listen :) 14:25:43 ok 14:25:58 usable security: any interactions with the user should be understabdbale wby the user 14:26:02 ... 14:26:10 mrowan007 has joined #security-ws 14:26:11 Current security features: 14:26:25 the lock in browsers (confusing ignored) 14:26:31 rsa secure id... 14:27:01 GeorgeStaikos, I asked tlr by sneaker-net. He says yes, it's OK to invite other folks. 14:27:05 what does the lock mean? does it mean I'm safe? does it mean it's already secure? 14:27:12 [captcha: see for example http://www.w3.org/TR/turingtest/ - I have a colleague who was trying to get a service in korea, and was doing fine bashing his way through the page until it came to entering the korean CAPTCHA text...] 14:27:30 slide: shows a chase manhattan login with a lock. the lock is just an image.. it doesn't say anything about the security 14:27:38 DanC_lap: thanks 14:27:58 showing just a lock, doesn't mean we are secure 14:28:41 rsa securId: vulnerable to man in the middle attack 14:28:45 jaltman_ has joined #security-ws 14:29:05 passmark sitesecure: can be spoofed 14:30:00 vircuser has joined #security-ws 14:30:03 phishing toolbarrs: crying wolf problem.. shows so many warnings that people pay less attention to them 14:32:47 peter has joined #security-ws 14:33:10 virc2user has joined #security-ws 14:33:43 Danny_ has joined #security-ws 14:33:49 jaltman_ has joined #security-ws 14:33:50 some points their carngeie mellon group is looking at: heuristics, semantics, trust reports (like new virus updates for norton...), off-the-band security ,user experience 14:34:15 users can get phished more than once (interesting!) 14:34:25 user experience: to learn why they were not so aware, and how to train them 14:35:32 expectations for user action should be minimal. We should not expect them to not fail into phishing attacks, but make it impossible for this attack to happen 14:35:57 questions---- 14:36:20 DanC: rsa secureID is vulnerable to mim attack in 60 mins. Is this a reason to dismissi it? 14:36:41 IF: no. It's just a way to say that the problem is not completely dolved 14:37:02 DanC_lap has joined #security-ws 14:37:18 Andy G (MIT lincoln): What better education can we give users than have them defrauded? 14:37:34 IF: Education is part of the solution, but not the only solution 14:37:49 GeorgeStaikos has joined #security-ws 14:38:00 Jeffrey Abrams: Education is not just for users, but for everyone in the chain 14:38:03 someone keeps stealing IP addresses! 14:38:21 seems like a dhcp server problem 14:38:46 Second presentation: Dieter R. Bartl: Optimising authentication fetures in the web browser 14:39:50 how can we distinguish the original form the fake? 14:41:56 browsers have four properties today: address, menu bars, lock , key lock properties 14:43:19 among these features, the one users are most familiar one is the address bar. 14:43:37 the other ones are mostly uknown or hard to use 14:44:07 jaltman_ has joined #security-ws 14:45:29 thiago has joined #security-ws 14:45:32 falsification techniques include: domains with similar names, java script used to alter the browser (Remove address field), or to fake a secure page, or faking web sites 14:46:04 (the previous were ways to forge authentication features) 14:46:44 among these ones, the easiest and most effective fake is to attack the address field (hide it?) and second, to add a lock that doesn't mean anything 14:47:35 countermeasures to this attacks: 14:48:04 make it harder to forge sites, restrict how scripts can modify a browser 14:49:05 chaals- has joined #security-ws 14:49:13 conclusion: web browsers are capable of verifying web page authenticity, but this does not work in practice: authentication requires expertise, authentication features can be faked 14:49:19 [network is pretty dodgy] 14:49:23 rrsagent, draft minutes 14:49:23 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html chaals- 14:49:31 this is serious: phishing attacks cause financial damage and erode trust 14:49:48 and will in the end damage the reputaiton of e-business and the wbe 14:50:08 [network has occasional glitches, but is quite good compared to the last couple places I've been.] 14:50:22 The solution needs the involvement of browser vendors and users need to be aware of these issues and feel confident about the solutions proposed by browsers 14:50:25 rrsagent, draft minutes 14:50:25 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html jose-ny 14:50:33 rrsagent, make minutes public 14:50:33 I'm logging. I don't understand 'make minutes public', jose-ny. Try /msg RRSAgent help 14:50:36 [DanC, true...] 14:50:48 rrsagent, make minutes world 14:50:48 I'm logging. I don't understand 'make minutes world', jose-ny. Try /msg RRSAgent help 14:50:59 jose-ny, I dunno if the real-time chat should be public, without any delay or review 14:51:00 --------- 14:51:13 questions: 14:51:29 (someone) what is the relationship between a lock and its properties? 14:53:13 (does anyone know if the room to the west side has a sneaky back-route to the restroom? so I don't have to walk in front of everyone ...) 14:53:15 I gather that his point is: the risk associated with spoofing the key lock properties is higher, since users are less familiar with it 14:53:37 (oops, missed this question.. can someone help?) 14:53:38 Robert_Capps has joined #security-ws 14:53:59 answer: people are more aware of a key lock (icon or browser?) than the properties related to it 14:54:15 (or what it really means) 14:56:52 Muz/IBM: indeed, I agree with [prev speaker] that an important point in your paper is: we could have a more secure version of a browser, with fewer features 14:56:56 Mez: agrees that we could consider a higher security level with less browser features. Since long time, we have had browsers adding too many features (marketing), with security following behind 14:57:10 s/Muz/MEZ/ 14:57:12 that doesn't speak to the user's primary objective, though 14:57:22 which is to see the funny movie where the monkey smells his finger 14:58:05 dieter: thinks it's a move in the rigth direction, but not sure if it's the 100% solultion. It's a run between hackers and sec. engineers. It is rather one step towards a better solution 14:58:10 ---- 14:58:43 Better Mutual Authentication Project 14:58:47 funny, someone just emailed the KDE core developer list with strong concerns about plans to remove features 14:59:01 xx from Financial Services Tec. Consortium 14:59:09 peter has joined #security-ws 14:59:30 jaltman_ has joined #security-ws 15:00:23 the better mutual authentication project has participants from securities industires, financial inst & assoc, other associations, gov. associations, tech. vendros 15:01:31 vircuser has joined #security-ws 15:03:09 financial industry recognizes there is a problem, and also that it cannot solve it itself. Needs cross-industry corporation: vendors, ISP provides, users... 15:04:23 potential for fraud is what has blocked the introduction of new financial servces on the existing web infrastructure 15:04:53 today's biggest problem is the MiM attack, in addition to the trad. phishing attacks 15:05:05 financial malware is tomorrow's problem... it's already here 15:07:07 djweitzner has joined #security-ws 15:07:19 jaltman_ has joined #security-ws 15:07:54 looks like 00:16:B6:0C:D1:93 may be a bad access point 15:08:28 yeah, I got around some badness by resetting my airport 15:08:35 Robert_Capps has joined #security-ws 15:09:18 we need to clean up current practice, imrrove the situation, have both short term solutions and long term plans 15:10:19 We need to get terminology everyone can understand. "Federated identity" is not a layman's term 15:11:53 (do we have a link to this requirements and recommendations document? can we get one?) 15:14:06 RalfCHauser has joined #security-ws 15:14:23 need to establish a comprehnsive architectural framework for web authentication 15:14:29 chaals- has joined #security-ws 15:14:40 rrsagent, draft minutes 15:14:40 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html chaals- 15:14:43 This framework should incorporate people (users) into the architecture 15:14:54 DanielD has left #security-ws 15:16:13 rrsagent, make minutes member 15:16:13 I'm logging. I don't understand 'make minutes member', chaals-. Try /msg RRSAgent help 15:16:50 rrsagent, make log member 15:18:14 establish new CA hierarchives that conform to financial industry policies 15:18:25 browsers should be distributed with no CA pre-established 15:18:58 s/.pre-established/disabled/ 15:19:08 s/no// ? 15:19:10 What is the confidentiality status of the meeting? 15:19:10 users should rather enable the CAs they need as needed 15:19:16 vircuser: none 15:19:21 nick phillhb 15:19:32 So no problem if I blog? 15:19:43 Meeting: W3C usable security workshop 15:19:46 what should w3c do? 15:20:12 vircuser: nope, people are even allowed in this channel, afaik, but are asked to keep quiet 15:20:15 phillhb: ^ 15:20:55 we need a comprehensive strategy... not just technology, short, middle, long term plans 15:21:57 true collaboration ^ cooperation is a refreshing new trend in security. 15:22:32 presenter was Chuck... 15:24:22 are the slides getting posted anywhere in "real" time? It's hard to read some of these 15:25:44 [s/some/a lot/] 15:26:07 DanC_lap has joined #security-ws 15:26:27 DanielD has joined #security-ws 15:28:19 -> http://www.ffiec.gov/press/pr101205.htm FFIEC Releases Guidance on Authentication in Internet Banking Environment October 12, 2005 15:34:40 beltzner has joined #security-ws 15:36:04 jose-ny has joined #security-ws 15:37:03 Ian: There are issues that need to be addressed in fedetation, but it's not the critical one 15:37:48 Amir H: are you considering making guidelines for mutual authentication that can be immediately used 15:38:05 Ian: The lock over the page, misusing security identifiers... those are some that could be considered 15:38:53 Chuck: the current situation is poor practice. Financial institutions are moving forward to best practice for better security. It takes time to roll it out 15:39:52 Alan has joined #security-ws 15:40:55 Army...(?): mobiles devices man. are announcing support for many authentication mechanisms. What does this represent a threat? 15:41:21 Chuck: The financial industry is concerned about cross-site use of information. This needs to be cleaned up 15:42:35 Army..(?): using a password management removes almost all of the phishing attacks. The password manager can detect where the information is going to be used. 15:42:50 attendance list 15:42:56 army (>): for the current problems this is an immediate solution 15:43:27 s/army/amir 15:44:00 xx: there are users about password managements too. what happens when it breaks down? 15:44:27 Chuck: customer management has to be taken into acocunt in the framework 15:46:00 PhilHB: digest authentication solves many problems. It could solve the mim attack. It failed because there was no way for the user to know which kind of authentication he was using 15:47:15 [PHB - make tyhe user experience better. This is actually valuable because it means we hassle the user less often about real problems, so the "just click OK to anything" effect takes longer to kick in...] 15:53:08 jaltman_ has joined #security-ws 15:54:20 jaltman__ has joined #security-ws 15:55:28 jaltman__ has joined #security-ws 15:58:11 o.O 15:58:22 I think that taking this model of security to a point of perfection will end up getting us nowhere 15:58:35 if the user's computer is compromised, you've got an entirely different class of security problem 15:59:01 that's true but it is something to keep in the back of our minds as we move forward 15:59:39 jose-ny has joined #security-ws 15:59:50 Dieter: we need to identify the weak links in the chain. For me, this is the interface between the customer and the user. Malware is really serious 16:01:08 PHB: Stopping the user pain is a valid thing to do. Even if it doesn;'t redude the losses, it's worthwhile to ease the user experience 16:01:08 yy: once I logged in, all of my authority is in play when I use an online trading account. The problem seems to be linkin all of the users authority on authentication. We should avoid giving all the authority once we are authenticated 16:01:08 chuck: agrees in general with this comment. 16:01:08 chuck: regarding multi-factor atuentication 16:01:12 Dan Schuts: it's good to start thikning about authentication. We should think about moving further than authentication Authentication should be thought about from the risk analysis point of view 16:01:17 s/Schuts/Schutz/ 16:01:19 Dan Schutz: Many of today's transactions involve delegation authority to a third-party, but it's not the full authority for everything. 16:01:22 chaals: we're trying to reduce the cost to users when filling out forms. It's an expensive operation for the user 16:01:31 chaals: Cookies is a soution. Automatic fform filling is similar too. Reducing the ordiinary cost to users of filling forms, answering diallgoue gives better payback from security 16:01:34 Eve Maler: Many people understand authentication without authorization 16:01:36 Eve Maler: How can we make a useful system for simplified authentication. The trick is to find out how to make different levels of authentication 16:01:39 s/make/have/ 16:01:43 simple one for simple tasks, more high level security for other tasks. 16:01:47 Finding the correct terminology is really important and difficult 16:01:49 Ian: Password managed on the client side is fragile when the user's computer is compromised 16:01:51 --- Disconnected (Remote host closed socket). 16:01:53 --> You are now talking on #security-ws 16:01:59 --- Topic for #security-ws is http://www.w3.org/2005/Security/usability-ws/ 16:01:59 --- Topic for #security-ws set by DanC_lap at Wed Mar 15 14:52:05 2006 16:02:01 --- Keeper gives channel operator status to jose-ny 16:02:03 Dieter: we need to identify the weak link 16:02:05 (cut and paste of missed minutes) 16:07:03 jaltman__ has joined #security-ws 16:08:41 jaltman___ has joined #security-ws 16:08:54 peter has joined #security-ws 16:21:27 Alan has joined #security-ws 16:21:33 everybody eating and drinking 16:21:41 weinig has joined #security-ws 16:26:33 vircuser has joined #security-ws 16:28:35 Alan_ has joined #security-ws 16:41:16 jose-ny has joined #security-ws 16:48:35 . 16:48:36 . 16:48:36 . 16:48:38 Topic: Jeffrey Nelson, David Jeske; Google, Inc: Limits to Anti-Phishing 16:48:42 ScribeNick: DanC_lap 16:48:49 Jeske presenting... 16:48:56 Mez has joined #security-ws 16:48:56 ... he does the google login system 16:50:11 scribenick:danc_lap 16:50:13 Jeske: we use the same interface for high-security apps like adwords and low-security apps 16:50:15 scribenick: danc_lap 16:50:34 ... this is clearly a risk. 16:51:12 ... but even more, we're seeing little sites using google credentials to access their services 16:52:18 (dns is down again) 16:52:54 (brb) 16:53:10 JeffNelson: I'm also on the google accounts team... 16:53:57 JN: we (ebay) went thru $100k learning how to manage/prevent fraud. [see quote on slide] 16:54:30 beltzner has joined #security-ws 16:55:35 That was $100 million, no? 16:56:05 oops; probably so. as I say, see the slide. 16:57:38 JN: one approach is new browser chrome with logos/trustmarks. But phishers know how to spoof all that. 16:58:02 beltzner has joined #security-ws 16:59:21 JN: to some extent, petnames [should also be in the list on ... oops... which slide?] 16:59:45 (I wonder what to make of the "Confidential" label at the bottom of the slides, given that the proceedings of this workshop are public.) 17:00:00 (you make nothing of it, since they should know that :) 17:00:35 jaltman___ has joined #security-ws 17:02:22 JN discusses zero knowledge proof and "re-registration" attacks [not metioned on the "Weak credentials" slide] 17:03:22 slide: "Passwords[sic] hashes are week" 17:03:55 s/week/weak/ 17:05:15 Q: how many times does google let people re-try the password dialog? 17:05:20 A: it's a complicate algorithm 17:05:28 s/complicate/complicated/ 17:06:29 JN: the point is not about active password attacks, but about offline attacks on hashes; this shows you just need to do a million md5s 17:06:35 [discussion is curtailed...] 17:08:45 chaals- has joined #security-ws 17:11:31 -- q/a 17:12:03 andy ostman (mit lincoln): is there any prefiltering of passwords to test if they are high valued ones? 17:12:04 [??? I got connected...] 17:12:04 Andy_O: about the password data... is there any filtering of the passwords to be sure you're testing the high-value passwords? 17:12:21 (lets danc_ scribe) 17:12:21 A: no. the only thing we threw away was unsuccessful logins. 17:12:37 ... we have single-sign-on 17:13:48 Q[whom?]: you make the point about hashes... the google toolbar sends urls over a clear channel, perhaps exposing password hashes 17:14:05 A: good point. I'll pass that on to the folks who work on that, though I expect they're working on it. 17:14:27 Q/Microsoft: why doesn't InfoCard score "yes" under Trusted UI? 17:14:33 A: cuz there's no secret... 17:14:58 Microsoft: yes, there is; I'll explain in my presentation 17:15:31 . 17:15:31 . 17:15:31 . 17:15:42 Topic: Drew Dean; Yahoo!, Inc: Authentication for web services 17:16:40 - slide: A brave new world 17:18:01 jaltman___ has joined #security-ws 17:19:39 chaals- has left #security-ws 17:21:20 DD: opaque identifiers are a key to independent evolution of yahoo services and 3rd-party services 17:22:16 Q[who?]: are these opaque identifiers authority-bearing? once i have one, can I use it to excercise rights? 17:22:23 DD: in some cases, yes 17:22:25 Q: in what cases? 17:22:33 DD: perhaps on a tivo or mobile platform 17:22:45 [not sure I got the gist of that.] 17:23:25 DJW: I hope we can discuss the contrast between lower-case web services, aka javascript, on the one side, and the upper-case Web Services [architecture?]... 17:23:50 . 17:23:50 . 17:23:51 . 17:24:06 Topic: Robert W Capps II; World Savings Bank: Digital Authentication for an Analog World: Why Authentication Processes Fail and How Do We Fix Them 17:24:47 slide: Key Concepts 17:25:39 RC: a number of these credentials are actually public records: date of birth, etc. 17:26:19 RC: note ATMs are an example of widely-deployed 2-factor auth. we're not exploiting that experience. 17:26:35 - slide: Key Concepts (cont) 17:27:55 - slide: Key Concepts (cont). The OS... 17:29:33 RRSAgent, pointer? 17:29:33 See http://www.w3.org/2006/03/15-security-ws-irc#T17-29-33 17:30:01 Alan has joined #security-ws 17:31:52 (I wonder how much of what I typed made it into the log. previous line, repeated: - slide: Key Concepts (cont). The OS... ) 17:32:07 vircuser has joined #security-ws 17:32:22 RalfCHauser has joined #security-ws 17:33:02 DanielDreymann has joined #security-ws 17:34:04 Shirvam[?]/Microsoft: when we talk of standardizing icons and such, it's great for consumers... but it's also great for phishers, no? they just need to copy one set of icons 17:34:15 peter has joined #security-ws 17:34:22 A/Google: this is why the secure UI has to rely on a user secret 17:35:39 A/google[other guy]: there's work going on with vmware to have a secure part of the OS. I'm sure microsoft is doing likewise. Because right now, the attackers can spoof everything. [I must have missed part of his answer] 17:36:09 Q: this is known as the [?] path problem. It's traditionally seen as an input. What we're seeing with the phishing situation is that an output is needed too. 17:36:19 Q[who?]: [missed] 17:36:46 A: [missed] 17:38:15 chaals- has joined #security-ws 17:40:06 RalfCHauser has joined #security-ws 17:40:17 plipp has joined #security-ws 17:42:01 jaltman___ has joined #security-ws 17:42:44 vircuser has joined #security-ws 17:44:04 djweitzner has joined #security-ws 17:46:38 jose-ny has joined #security-ws 17:48:09 DanC_lap has joined #security-ws 17:48:34 Q: [something about flickr and delegation] 17:48:36 A/yahoo: I think flickr has published an API for that 17:48:43 Q: it should be in more places 17:48:55 A: yes, I can see the desire for a standard... 17:49:53 A/google: yes, I can see the desire for a standard too, but anti-phishing mechanisms have to come first, since it increases phishing risks. 17:50:28 s/[something about flickr and delegation]/there is a problem that there is no way to share something with a couple of people in flickr - either you hand over your password or you use one of the two pre-baked groups/ 17:50:35 Q: but if there are compelling apps, they'll just give away their whole username/password credentials if there aren't partial delegation standards. [who?] 17:51:25 A/google: flickr is one success story, but another paypal subscription [something] is another case; but of course they're one of the top phishing targets 17:52:15 Q:social attacks are likely to be just about as effective with partial delegation. 17:52:34 A/google: indeed. 17:53:34 A/google: [describes a cross-site attack on paypal]. There's no delegation there, but it's something we need to consider. 17:53:59 Q: we're already doing delegation by mailing around URLs. Seems like we should be able to do something along those lines. 17:54:20 s/delegation/fine grained delegation/ 17:54:46 Daniel_GoodmailSy has joined #security-ws 17:54:53 A/google: we'll have to think about that... [something about reducing complexity, and how doing something like RSS might work] 17:56:32 DJW: on the trusted platform point... do you see some middle ground? 17:57:11 A/google: the bar today is very low; a script can manipulate the dom and paint the whole screen... 17:58:18 ... something that just has a secure keyboard handle... [missed; help?] 17:58:41 DJW: if that's a user-choice, don't we have the same phishing problem? 17:59:40 Drew: note the WinNT password dialog has you hit ctrl-alt-delete 1st. 17:59:51 ... this is orange-book stuff. 18:00:08 ... and note x509 logo stuff 18:01:50 Microsoft[shriram?]: the OS has lots of this stuff... Vista has [missed]... but the browser runs in user mode and this is in system mode... plus, ctrl-alt-delete doesn't integrate with forms, password managers 18:03:35 A/google: [...] but if, for example, javascript couldn't resize the browser window, that might have a real impact 18:04:43 Drew: years ago, with a few weeks of grad student labor, we were able to do very sophisticated spoofing. Even less sophisticated attacks are working. 18:05:53 Q/comment[who?]: re trusted path to the password problem: one of the oldest tricks is to ask for the password, say it was wrong, and then ask again [?] 18:06:55 Drew: indeed, trusted path implemented incorrectly doesn't solve the problem 18:07:56 . 18:07:57 . 18:07:58 . 18:07:59 Robert_Capps has joined #security-ws 18:08:00 --- Lunch 18:08:37 DanC_lap: that last comment was from George Staikos 18:08:46 Robert_Capps has joined #security-ws 18:22:43 vircuser has joined #security-ws 18:24:16 djweitzner has joined #security-ws 18:24:20 beltzner has joined #security-ws 18:27:40 vircuser has joined #security-ws 18:48:07 virc2user has joined #security-ws 18:48:33 jaltman___ has joined #security-ws 18:49:48 RalfCHauser has joined #security-ws 18:51:52 jaltman___ has joined #security-ws 18:52:43 djweitzner has joined #security-ws 18:56:23 Robert_Capps has joined #security-ws 18:58:04 Alan has joined #security-ws 19:02:20 DanC_lap has joined #security-ws 19:04:29 peter has joined #security-ws 19:04:50 peter has joined #security-ws 19:06:35 chaals- has joined #security-ws 19:06:43 jaltman___ has joined #security-ws 19:09:05 jaltman___ has joined #security-ws 19:09:25 research shows that users spend an average of 0.05s deciding if a page is trustworthy or not 19:10:23 peter has joined #security-ws 19:13:31 jose-ny has joined #security-ws 19:13:38 scribenick: jose-ny 19:13:52 Session 3: Phil Arch: Quatro Approach 19:13:58 Slide: The Quatro Vocabulary 19:14:38 Slide: Quatro allows a TM operator to: 19:14:54 plipp has joined #security-ws 19:15:10 A common vocabulary provides interoperability 19:15:19 Slide: ViQ Browser Extension 19:15:53 Slide: LADI Search Engine Wrapper 19:16:19 Slide: Oh Yeah? (Semantic web button) 19:16:29 Slide: ViQ Browser Extension (cont) 19:16:35 Shows from where the metadata came from 19:16:37 thsoe acronyms are meaningless, of course ... 19:16:46 but I guess that's a trustmark branding issue 19:16:52 jaltman___ has joined #security-ws 19:16:55 did he cover how these trustmarks aren't themselves spoofed? 19:17:24 Slide: ViQ Browser Extension (cont) 19:17:41 click on the metadata, you get more information from where it came from 19:17:53 slide: (untitled) shows back end process 19:18:07 Quapro-- quatro proxy 19:18:46 (someone had to say it) 19:18:59 Daniel_GoodmailSy has joined #security-ws 19:19:13 Can use digital signatures to increase the integrity of the messages 19:19:51 Slide: Trustmark use cases 19:20:14 Segala (company that does accesiblity testing) 19:22:24 search engines have shown interested to in trustmarks 19:22:28 Slide: Trustwatch 19:23:00 Slide: The Quatro PArtners 19:23:43 Q/A 19:24:17 Q: Mike.. Mozilla: What is the recourse for the authentication whether a web site satisfies the (trustmark) criretria 19:24:23 A: Evaluation process 19:24:39 Mez has joined #security-ws 19:25:05 Q: Hav e you considered labelling a certificate as a higher level autority? Concerns about this being overloaded as not only a certification mechanism, but also authentication... Can you use if or authentication too ? 19:25:17 A: No, buit we surely are going to talk about it 19:25:18 chaals has joined #security-ws 19:25:54 Q: Amir H. We are considering this protocol in proxies. Have you considered standardizing a protocol to get queries about this kind of information from servers 19:26:22 A: We have a very tiny schema and light weight protocol for the moment. 19:27:07 Q: Amir H. : There are also trust and privacy issues. This protocol and issues may be something that the W3C could be interested in 19:27:10 ---- 19:28:11 Presenter: Mary-Ellen Zurko (mez) Using History, Colaboration, and Transparency to Provide Security on the Web 19:28:32 co-written with Dave Wilson from the Worplace, Portal, and Collaboration Software division of IBM 19:28:43 GeorgeStaikos has joined #security-ws 19:28:47 yay I'm online again 19:28:53 heh 19:29:21 pecorra_ has joined #security-ws 19:29:27 Slide: What I'll talk about 19:29:39 DanC_lap has joined #security-ws 19:29:47 Will talk about reality outside of computers (third point) 19:30:00 rrsagent, draft minutes 19:30:00 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html chaals 19:30:13 mrowan007 has joined #security-ws 19:30:20 Slide: The Problem Space 19:30:42 Attacks would be less effective if there wasn't a way to put things on the user's space (mail push) 19:31:12 scams always exploit the mistakes / assumptions that people make. An absolute solution won't exist. We can stop the flow rate, though 19:32:15 Thinks that when people say that there is a mutual authentication problem, it's more about the authentication of the web server to the user ( 19:32:38 thinks that DNS domains can act as authentication authorities 19:33:44 Protections need to be moved back to the userr, as there may be many tiers, unless there is a global protection mechanism 19:33:51 Slide: Trustworthiness of web site 19:34:10 How fast does a user detect that a site can be trusted 19:34:52 These are things that security tech. cannot provide (ease of use... etc). That's why security technology has failed in this area 19:35:00 Slide: Metadata for reality based assurance of web sites 19:35:14 Slide: personal history 19:35:42 There are a number of things that a web browser can know that can help determinte the trustworthiness of the site where a user wants to connect 19:36:07 (regarding the question of using QUATTRO style labels to make connections between CAs, that's close to some research we've done with RDF and digital signatures for a few years. http://www.w3.org/2000/10/swap/doc/Trust . I wonder if there's any chance CAs would look outside the world of ASN.1) 19:36:09 such as how much time he has visited it, how he got there (followed a link, ...) 19:36:17 Is that site bookmarked 19:36:34 (this was done in annotea) 19:37:00 If the site was previously authenticated, has this info changed? Same password, ip addresses, same kind of cookies? 19:37:07 Did we posted data to it previously? 19:37:58 Slide: History of others with personal connections 19:38:26 suppose we do some or all of those process. One of the big problems will be the bootstrap problem 19:40:09 When you have information about people's other public-keys, you can make a web of "friends" from that. You can then use those public-keys to trust web sites 19:40:23 Slide: Mediators and Authorities 19:40:45 if you don't have the possiblity of making a web of friends thru key exchange, you can use mediators and authoritires 19:40:57 not warm towards this approach 19:41:22 which servers you may tust? 19:41:41 slide: in summary 19:42:02 Metadata tied to personal history can combat large categories of scam, the ones we care about right now 19:42:18 Integrration with mail infrastructure could provide extra benefits 19:43:13 Classic usability techniques can help fight against scams too. We should add a strong requirement to do usability testing on this kind of solutions before deploying it 19:43:20 otherwise, it may not work 19:44:16 There always be a gap where human ingeniuity crosses human naivete, but we will have to live with this. At least make this gap as small as possible 19:44:31 Q: Fred. Hirsch: (missed it) 19:44:44 A: If there is a place where you can trust gathering, this schema may work well 19:45:13 All the personal information that was mentioned is already available on the desktop 19:45:39 If we can find a way to only share data with people we trust, this will take care of a big part of scams 19:47:00 Q: Jeff (Google) History can be used as a facilitator for the attacker (javascript security model). Making history usabl;e as a preventive mechanism will also be tricky. The API that would make this info available could also be available to misuse it 19:47:09 A: Agreed with the point 19:47:43 [depends whether the API *does* make history available] 19:48:31 Speaker: TRansparency and Usability of Web Authentication Kenneth L Wright II Electronic Fraud Analys World Savings Banks. 19:49:42 Slide: FFIEC as a starrting point 19:50:11 ... 19:50:17 slide: Mutual authentication 19:50:25 we want to make sure that a site is safe for the consummer 19:50:33 Consummers feel safe with trusted channels 19:50:54 s/mm/m/ 19:51:08 Slide: Personalized web experience 19:51:58 Would like to see personalized personalized color schemes, phrases, ... anything that will allow a user to have trust on a server... for raising the awarenes on what is a spoofed site or not 19:52:08 history of transactions etc. 19:52:23 This will create a reverse channel of biometric information 19:52:35 Not sure how this may be done, but this is what would make my life easier 19:52:48 Slide : Low Level Authentication 19:53:07 slide shows a web ssite that just displays a name and an email 19:53:12 Slide: Mid-level authentication 19:53:36 site proposes personalized indicators (visual, audio, ...) 19:53:42 High level authentications: 19:54:06 session timers, transaction history, security checklist (you have to complete these steps before giving your credit card numnber) 19:54:26 figure shows personal interaction items in the page 19:54:31 Slide: Conclusion 19:54:49 Personalize experience for the end-user 19:55:00 consitent authentication across the web 19:55:14 better placement of fraud tips and info 19:55:22 ------------ 19:55:26 Q/A 19:55:55 Q: Shivaram Mysore (microsfot): We store lots of information. This can cause lots of grieve./ I'm providing the bank more information than I want... 19:56:15 A: I agree. It's like choosing one's own poison. Do you want to provide it or not? 19:56:55 Q: Don Schutz: If I have a trojan inside the PC, all this stuff doesn't work anymore. 19:57:05 I wish people would stop bringing up the trojan-in-the-pc thing 19:57:18 it's laced with horrible stop-energy 19:57:19 A: Yes. My perspective was that a computer was safe 19:57:25 baby steps, people 19:57:33 Q: You don't need to have a trojan in order to exploit this information 19:58:07 A classic MIM attack will weaken it, while giving the user a false sense of information 19:58:18 fine, so put these signals in email communications from corporations 19:58:34 A: I didn't take into account this attack in my presentaiton 19:59:04 Q: phishing sites are looking for names and passwords 19:59:21 Just the user name is not enough... MIM attack 20:01:21 Q: Mike (Mozilla) It could be the three cups of coffee and a bottle of pepsi.. what we want to take away from the cat's paw are the emails that are impersonatiing someone. By making it harder to forge these trusted emails, we can already avoid these attacks 20:01:34 It is not a final solution, but there are points that we should take into account 20:02:15 Q: Ian (C-Mellon). How can we go even better to avoid forged mails? Phishing mails are getting better and better 20:03:10 A: Smaller financial situations are starting to experience phishing and their customers are unaware of them. Contrast these with the bigger enterprises. A standardized, better way of presenting this notify info to users could already help 20:03:49 Q: Amir H: If we know a site that is known, we can build a secure channel to the server using its public-key 20:04:45 A different problem is how to idenfity a web site that doesn't provide misleading information? How to make the server provide secure information thru a secure channel? 20:05:52 Q: PHB: We're dealing with internet crime. We need a different kind of approach to it compared to trad. one. There is no one single system that can provide a complete solution. A response center can be part of the solution. This infrasutrcture is already deployed and banks are using it 20:06:50 Giving a reasonable cost to an attacker will make this attacker shift his sight elsewhere 20:07:58 Q: Dan Schutz: Having a secure channel removes all the MIM attacks. We have taken steps together to understand the moving parts. We should now think about a roadmap that integrates these solutions 20:08:05 --- 20:08:07 General discussion 20:08:26 pecorra_ has joined #security-ws 20:08:43 MeZ: Lack of imagination on how people will solve the problem of virus and trojans, but admires them 20:10:03 [Google knows how many times I went to a site?!?!?!?!?!] 20:10:12 [no] 20:10:23 [it knows how many times you clicked on a site after searching for something] 20:10:27 [if you sign in with your google ID] 20:10:32 [when you search] 20:10:34 [and] 20:10:35 [stuff] 20:10:51 [oh. OK, that seems more reasonable] 20:11:13 DJW: Mez, you suggested that if you actually personal history metadata... collaborative metada and applications have always been cool on the web. Do you think that can be part of a solution? 20:11:50 A: MeZ: yes .. maybe in the family, personal, enterprise scope. You could leverage this information. It may not scale well outside 20:12:14 A: Phil Archer: Shared bookmarks may help. Passing URLs to the family may help 20:12:17 (FOAF) 20:12:36 In social networking people want to share things to communicate 20:13:17 Q: Mike Mozilla. A lof of these metadata systems are based that people will only visit them after having been there once or twice 20:14:20 A: Mez: You're right. Personal history may help to counterattact many scams. The bootstrapping problem is usual 20:14:41 vircuser has joined #security-ws 20:14:50 q: Fred Hirsch: Collaborative work may work against you. Someone gave mr a link, went there, it looked like a scam in the end and the effect was multiplied 20:15:04 A: Mez: thinks that collaboration may have a better effect than side-effect 20:16:20 Q: What are the practical guidelines that W3C can give to web sites to develop better practices 20:17:00 A: Mez: It's hard to imagine what may be done. Not sending email doesn't seem like an alternative. One has to take into account scaling problems 20:17:48 A: Phil Archer: Semantic web activity is not based on trust right now. We can have multiple source of datas all talking about the same resource 20:18:44 we don't know which one we may trust... if you promete lots of stuff, the bad stuff would be pushed away compared to the good information that we will have 20:19:34 Q: (RSA) ... 20:19:49 (beltzner, care to rephrase this question? I didn't get the beginning yet) 20:20:28 The attacks on social systems won't be immediate, but may be built over time. Smart attackers are not necessary going to be greedy 20:21:14 jose-ny: oops, I only listened to the answer, but I think it was in answer to the Q about practical guidelines 20:21:34 Q: Amy (Technion): Seems that we want to minimize 4 positives. Institutions are loosing confidence on institutions. The icons and so on can build trust, but they don't really solve the phishing problem. 20:21:37 s/4/false/ 20:22:09 A: Mez, it'll be a step towards imrpovement 20:23:26 Q: A Jeff. Altman: Maybe the best solution would be to just say "there's information waiting for you at your *bank*, without putting any links, anything. The users would know where it is... users should know where their web site is already 20:23:39 People who are making these attacks don't look shorter, but longer term 20:24:13 I'd think very carefully about what kind of info we would put out... take into account privacy and long-term accounts. Avoid sending info on the clear 20:24:45 A: Mez. The message about never sending URLs could work as a best practice... (missed end of remark) 20:26:38 Q: Lisa. Many of these solutions can move to an arms race, where mimicks will try to get the upper-hand. Anything that is just another step on the arms race is going to cost the scammers, but will cost more the users. After a few times it will become much more expensive to follow up and have trust on it 20:27:41 Q: Amir. Saying that a bank image doesn't provide any link to a bank system could be good. It would be better if this link will open a secure channel and this would be the only way to contact the server 20:27:57 Labelling and ratings are very good ideas. Suggests they are done for public-keys and not just for ratings 20:28:41 A: Danny ... goodmail systems. Not enabling links in messages is a no-starter for marketting messages 20:29:07 one should not look at the transaction messages just separately 20:30:05 Q: Mike Mc... Another problem that banks are trying to solve are secure mail and crypto mail. S/mime is good, but doesn't provide anything against links... two worlds colliding 20:30:12 Daniel_GoodmailSy has joined #security-ws 20:30:45 Q Dan Schutz: We can tell our customers our messages never have links 20:30:56 RRSAgent, draft minutes 20:30:56 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html jose-ny 20:31:40 A lot of scams exploit this infrastructure 20:31:43 RRSAgent, draft minutes 20:31:43 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html jose-ny 20:31:55 --- cooffee break --- 20:32:45 s/coofee/coffee/ 20:49:23 RalfCHauser has joined #security-ws 20:53:25 peter has joined #security-ws 20:53:29 Daniel_GoodmailSy has joined #security-ws 20:58:27 RalfCHauser_ has joined #security-ws 20:59:31 jaltman___ has joined #security-ws 21:03:53 tlr has joined #security-ws 21:04:07 We'd need a volunteer to scribe. Any takers? 21:09:47 Scribe: beltzner 21:09:50 Thanks Mike 21:14:25 pwned 21:14:37 Tyler Close, HP, Petname Tool 21:14:50 Slide: overview of 10 minute talk 21:15:36 vircuser has joined #security-ws 21:15:59 djweitzner has joined #security-ws 21:16:21 Slide: Which is the spoof? 21:16:53 shows two screenshots, they look identical (one is paypai.com) - there's a 1px difference 21:17:03 can be 0px 21:17:49 Slide: Now, Which is the spoof? 21:17:53 [If you were using Opera you would have information about the certificate as well... :P] 21:17:59 petname tool makes it easy 21:18:02 [hush, you] 21:18:19 [:)] 21:19:22 petname provides semantic data that is provided by user to give them a reference that is unspoofable 21:19:27 [welll, if you got a certificate for Paypai Inc. registered in the US, you would still only have one extra pixel...] 21:19:30 Slide: User training message 21:19:54 Slide: States 21:20:38 petname has three states: no SSL (disabled), SSL but not yet annoteated, SSL and annotated 21:20:48 [my typos are brutal! typing in the blind, here] 21:21:08 jose-lap has joined #security-ws 21:21:09 implementation is actually just bookmarks 21:21:39 scribe-nick: beltzner 21:21:52 Present: See The Program 21:22:15 bookmarks created in a "petname" folder, named with the annotation from the user 21:22:42 would like to tie in password generators to this functionality, such that user never knows the passphrase 21:23:39 [yeah, I think he stated that limitation up front, but it's a biggie; could use a portable profile on a USB key,mebe?] 21:24:07 [I wonder what happens when referrer codes are in that URL] 21:24:12 (or a la delicious shared bookmarks?) 21:24:20 peterl has joined #security-ws 21:24:40 petname provides a way of indicating an ongoing relationship with the site 21:24:56 [overall I like this signal, though] 21:25:13 [yeah, me too] 21:25:59 Q: Ian Fette, CMU. Any tests with users? What happens when users see "untrusted"? 21:26:48 A: Tool available for download for >1yr, over 7500 users, frequent feedback via email, no formal user study 21:34:49 Q: Drew Dean, Yahoo: how do you distinguish the site? 21:34:49 A: Hash of the CA public key and the distinguished name in that cert 21:34:49 Q: (cont'd): so renewals cause the system to fail? 21:34:49 A: Yes, but that's a limitation of the CA infrastructure 21:34:49 Q: John Lynn, RSA: do you see this as a potential creator of bad habits? Since the default is "untrusted" and people might just think "oh, but I do trust this site" 21:34:52 A: Yes, so it's important to get the user at the first point of interaction. I have a proposal where the hash of the public key is embedded in the URL so that the browser knows to trust that first interaction. Could compare against other public key hashes from the wild to get a reasonable measure of confidence. 21:34:57 Q: Terry Hayes, AOL: curious about the link between password manager and this approach; if one creates a name when one registers at the site, that's a strong tie in. 21:35:00 A: Yes, absolutely. Worst case scenario is that you've created a new password that's useless to the phisher. 21:35:03 Amir Herzberg, Bar Ilan University, Safe Browsing for Dummies 21:35:06 Slide: Current browser expect users to ... 21:35:08 [damned network] 21:35:28 weinig has left #security-ws 21:35:33 users don't notice existing security indicators 21:35:42 nor do they understand SSL/PKI/CAs 21:36:21 Slide: What went wrong? How to fix? 21:37:29 avoid jargon and technical details, and focus on user-familiar terms 21:37:38 focus on name of site and name of CA 21:38:54 Slide: TrustBar: site identification widget 21:39:08 uses logos as well as text 21:39:14 right in the menubar 21:39:16 (bam) 21:39:31 Slide: Soon in IE7 21:39:51 IE7 will have siilar strategy, but no logos and ony for extended validation certificates 21:41:07 Slide: SSL certificate Validation 21:45:02 Slide: Requiring Stronger Certification 21:47:33 (to norton.. or to xkms?) 21:48:08 Slide: single-click login 21:49:44 Slide: single-click login with TrustBar 21:50:49 [remote/roaming profile?] 21:51:13 [how do you use this in an internet cafe?] 21:51:23 Slide: defending against malicious attacks] 21:51:48 [I saw it, fwiw] 21:52:37 Slide: current mal-content defenses 21:53:28 [If you are in an internet cafe and you log into your bank account you have a lot more to worry about, hardware keystroke logger for example] 21:53:36 indeed. 21:53:38 [dude behind you with a club ...] 21:53:49 s/indeed./[indeed] 21:54:31 Slide: conclusions 21:54:48 [but neither of those possibilities stop people from using secure material on shared machines. And there are places where shared access to machines is the norm, not the exceptional case] 21:54:50 trustbar: http://AmirHerzberg.com/TrustBar 21:55:51 Q: Mike Mcormick: Could you elaborate on the public protest certs? That sounds like a can of worms if I can revoke your certs. 21:56:53 A: It's a limited time protest, checking them is pretty easy, similar to trademark system. Of course, this does open up DDoS vector. Can be solved by requiring cash deposit, though. 21:57:50 Q: Ian Fette, CMU. I'm also worried about the CA extended validation cert, as they might price SSL out of the reach of many users. 21:58:05 (VeriSign interrupts to remind us that this might not be the case) 21:58:34 Q: (cont'd) A few weeks ago about how a store and a bank had the same name, how do youresolve these disputes? 21:59:50 [I can't find an answer in what he's saying - anyone else?] 22:00:33 A: we stay out of that, leave it to the legal system (ish, sorta, kinda() 22:00:36 --- 22:00:45 this seems really backwards to me 22:01:07 you have to have every company in the world watch who is getting certificates 24/7 and try to catch any case that conflicts with their interests? 22:01:12 Sebastian Gajek, Amahad-Reza Sadeghi, Client Authentication in a Federation Using a Security Mode 22:01:14 -> does not scale 22:01:24 [Geroge, right, and it's why I don't like ext-valid certs :)] 22:01:35 [nyah, nyah] 22:01:39 not to mention that CAs probably dont' want to release their customer list before they finalize the issuance 22:01:43 Slide: Problem 22:01:47 Slide: Terms 22:02:13 beltzner: maybe the onus needs to be on the CA instead, and enforced 22:02:56 Slide: what is security mode 22:03:58 Slide: case study, tampering 22:04:35 Slide: cae study, transparency 22:05:57 Slide: providing security requirements in browser model 22:06:24 SSL is actually a three pary protocol, with the browser as a party 22:07:26 SSL is actually a three pary protocol, with the browser as a party (2) 22:07:39 Slide: case study, proving security requirements (2) 22:07:43 [oops] 22:07:51 [taking notes in the blind is harrrrd] 22:08:21 Slide: candidate solution I: secure mode browser 22:10:34 Slide: example of "online-banking browser" 22:11:48 Slide: candidate solution II: PERSEUS 22:11:58 goal is to prevent mail-web phishing 22:12:27 lets user run browser in a completely isolated OS environment, preventing malware attacks 22:12:36 Slide: summary 22:12:52 more info at www.prosec.rub.de 22:14:06 Q: Amir Hertzberg: Protection from malware coming from websites, not from on the machine, right? 22:14:17 A: the goal is to prevent malware from ever being installed in the first place 22:15:40 Q: jeff, Google: following up on trusted computing, do you deal with JS and active content? 22:16:08 A: to avoid these sorts of attacks, we prefer to go into a limited browsing mode 22:16:24 A: two different technologies: trusted computing, anti-active-scripting attacks 22:16:27 --- 22:17:07 Phillip Hallam Baker, Verisign, Secure Letterhead 22:18:05 Slide: we're not in kansas anymore 22:18:16 (not taking slide notes anymore) 22:18:42 secret service now laying charges against fraudsters 22:19:33 currently in the whack-a-mole business 22:19:42 want to be playing chess, and be several moves ahead of the bad guys 22:21:03 focus will be (for this talk) on disrupting the social engineering attack 22:21:14 big deficit is in the outbound communication from companies 22:21:41 multiple approaches: layered security, cryptography, law enforcement 22:22:06 w3c is best positioned to assist with user interface portion of this 22:22:43 goal is to ensure that a message from X is authentic 22:23:27 site identification curently done by DNS, which was designed as a _location_ mechanism 22:25:26 proposal is to split identification from location and leverage SSL certs to do so 22:26:47 [was it really? I thought it was to encapsulate a public key ...] 22:27:19 [what is a "high assurance" CA?] 22:30:18 "high assurance" = an excuse to charge more 22:31:15 [gentle, gentle ;)] 22:31:56 [although this is the part of the CA pitch that I dislike: hey, can you differentiate us for our market, browser makers?] 22:32:41 Q: Charles, Opera. Like the idea, but I've also tried to claim insurance before, and know that's difficult to do ... why would this be any different? 22:33:14 A: Yes, that's an issue. But the insurer doesn't work in an environment where a single default turns up on the WSJ. 22:34:25 A: We're in the blogosphere, and reputation is easily damaged. It's a matter of record that VeriSign has issued certs to spoofers - our process was defeated through our own error. But we revoked as soon as we knew and informed the public. 22:34:51 Q: (follow-up) So risk-exposure for us as the browser is that we get blamecasted for the CA's screw-up 22:35:53 A: I agree that we need to work these things out, like response times, and support for various issues and ... 22:36:49 Q: Dan Connolly, W3C: It looks like you're willing to accept chrome attacks and write that off as a cost of business 22:37:20 A: I'm presenting a protocol, and assuming that the lower levels in the stack will support us. I would hope that a browser implementing secure letterhead would provide some sort of chrome protection. 22:38:37 A: The idea isn't for total coverage, but to secure the user with an up to date browser that's outside a botnet 22:39:00 Q: Chuck Wade, wanted to follow up on the comment about community logo. 22:39:39 A: Two uses for community logo; 1. Affiliate networks. 2. Different communities within networks of trust. 22:40:49 tlr has joined #security-ws 22:41:05 --- 22:41:07 Panel Time! 22:41:35 Q: Tim Fette, CMU: For Phillip, assuming that all the technical stuff is in place, how do you get across to the user "Signed by VeriSign"? 22:42:12 A: Phillip, One of the consequences is that it means the nature of the game changes, and that becomes the responsibility of the CA. This will require investment, just like VISA and M/C do today. 22:42:59 A: VISA, M/C are a good analogy, as they don't have contact with the public directly, but through member banks 22:43:29 Q: Tyler, But it's always been possible to identify the CA, so what makes this different? 22:45:03 A: It's been possible, but not discoverable. Because it's buried, it's not being used. Also, it's not using our existing prediliction for brands and logos. 22:45:19 [he took a taxi? am I the only one taking the MTA?] 22:46:45 Q: ???, A lot of the proposals today are based on people always using a single machine, but there is a lot of our user base who must use 1..n machines and doesn't have a single store for this information. Second comment, evidence shows that users don't pay attention to the user chrome, so it's not clear to me that adding information there won't help us. 22:47:43 [We'll not close sharp at 6, but maybe 10-15 minutes later.] 22:47:52 [I'll probably have to take up the "who are you" routine again.] 22:48:30 A: (Amir) Agree, and TrustBar trivially supports many of these issues for mobile/multiple system users, and there's ways of doing this for single sign on as well. Second point, additional tests should be done, as our tests show a substantial increase with TrustBar. The issue might be expectations. 22:49:22 RalfCHauser_ has joined #security-ws 22:49:43 A: (Tyler) Existing studies don't take into account the interaction patterns. What I take from this is that passive indicators have questionable benefit. Interactive indicators might be more noticeable. 22:50:37 A: (Tyler) change the login ceremony to involve these indicators 22:51:20 A: (Philip) On the point about the mobile user, that's one thing that's nice about secure letterhead, all it needs is display, not user context 22:51:26 Robert_Capps has joined #security-ws 22:53:32 rrsagent, draft minutes 22:53:32 I have made the request to generate http://www.w3.org/2006/03/15-security-ws-minutes.html jose-lap 22:55:33 Q: George Staikos, KDE, This panel has had a lot of proposals for in-browser implementation. I think using CA/site brand is a great tool for building user recognition. I'm not sure that it will have the opposite effect in the case where the CA fails to meet its obligations. I'm not sold on putting logos in the chrome. Also, all these bits of real estate in the chrome will be competing for user attention, we can't put too much in, and once it's in, it's 23:04:33 Q: If CAs are judged by how quickly they revoke certs, why would I choose the one that would revoke quickly? 23:04:40 (Stuart Schechter) 23:05:19 A: to be the best possible CA to the relying party, you need to beat up your customers. Some CAs compete on how easily a cert is issued. 23:05:26 (PHB) 23:07:30 tlr: I'm losing steam here, can you take over? 23:07:43 or can someone else? 23:07:55 Someone else, please -- I don't have much steam left. 23:08:02 Anyway, we're adjourning in 2 minutes. 23:08:03 I nominate GeorgeStaikos! 23:08:28 beltzner: I did my tour of duty a few weeks ago 23:08:35 (Thanks a lot, Mike, for scribing.) 23:08:51 (glad to help) 23:09:19 customers can choose a CA brand (this is an A to a Q?) 23:09:34 Q: all chrome can be a phishing vector 23:10:00 A: were not concerned about real estate 23:10:11 [I'd be flayed alive by my colleagues if I ever said that] 23:10:51 A: browsers taking measures to prevent attacks make these mechanisms good 23:11:16 Q: CA rep of that mountain whatever thingy 23:11:47 (Geotrust) 23:11:54 (Kirk Hall) 23:11:56 A: geotrust guy - it was just a test, and they owned the domain. Conflating name similiarity with right to own the domain. 23:12:22 tlr says rights to domain name out of scope of this ws 23:12:34 MEETING OVER +++ATH 23:13:29 Mez has left #security-ws 23:23:12 adjourned