[WEB SECURITY] Web security improvement ideas

Gervase Markham gerv at gerv.net
Sun May 29 05:01:06 EDT 2005


Ivan Ristic wrote:
> Maintaining a per-page descriptor is just not practical. No one will
> want to do it. 

It depends how it's maintained. It's metadata - and that's what CMSes 
are for.

> I was thinking more along the lines of someone getting a valid
> certificate for a domain name that does not belong to them, e.g. using
> a bit of social engineering. It may have happened, it sounds plausable
> to me.

As far as I'm aware, there has never been a reported case of this. 
(Although 2 code-signing certs were mistakenly issued back in 2001.)

>>What happens if your new layer of security fails completely? Surely we
>>need a third layer for that case?
> 
> In general, yes. We need multiple layered protective measures to avoid
> having a single point of failure.

I was being sarcastic. You can't invent a technical solution to a 
problem, and then wrap it in another identical solution "in case the 
first one goes wrong". Where does it end?

>>There is no way you can avoid having a user take some action (even if
>>it's just moving their eyes) to make sure they are in the right place,
>>because the definition of "right place" is solely in the user's brain.
>>The browser cannot accurately determine it.
> 
> It can if you define "right place" as "the same place I visited every
> single time before".

You presumably mean "a place I've visited at some time before". And the 
user still has to make the minimal effort of looking at whatever UI 
indicates whether they have been there before or not.

See
http://www.gerv.net/security/phishing-browser-defences.html#new-site
for a suggested UI for this.

>>Except that if I've been logging into my bank using my browser's
>>Digest-Auth UI for months, and suddenly I get asked to type my password
>>into a web page instead, I should be suspicious. If I'm not, I'm
>>probably the sort of person who types my CC number into any web form
>>that asks for it anyway.
> 
> You seem to be judging things by what you would do. But that's not
> realistic. 

What's realistic is that it's very hard for a browser to protect someone 
who pays _zero_ attention to their security, and so will type their CC 
number and PIN into any form which asks. An amount of user education is 
required. The job of a browser maker is to minimise that amount.

> Besides, I want to be
> able to log in to my bank's web site without having to go through a
> 5-page long checklist in order to determine I am not being attacked in
> some way.

Absolutely.

Gerv

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list