A different approach to fighting phishing

We are usually advised to avoid being phished by looking carefully at the address bar for discrepancies. Unfortunately,

The web page; the URL; the SSL certificate (if any); indeed, all information displayed to the user; is information chosen by the attacker. The user is then asked to discover discrepancies in information that has been carefully designed for deception. This type of game is better suited to a book of puzzles than a secure user interface. —Tyler Close

The problem is that humans are notoriously bad at detecting rare and non-obvious events.

The Petname tool is a nifty alternative way to detect and expose phishing. It's a Firefox extension that lets you enter short messages (e.g. "stock trades") to be associated with a site's CA public key and distinguished name (DN). Those messages are only subsequently displayed to you when you return to the site if the key and DN match.

This is somewhat similar to the approach used in SSH. That is, on the second and subsequent transactions between you and another party, it's not quite as valuable for you to know simply whether some trusted CA will vouch for that party. What you really want to know is that you are talking to the same party you were talking to last time. (As with SSH, man-in-the-middle attacks on the second and subsequent logins can be detected... even if the user didn't properly verify the authenticity of the remote party on the first login!)

Of course, all this is of little use if the human doesn't check the petname before entering his password. For that, the author suggests that web browsers be made to automatically manage credentials on our behalf...

Further reading: W3C workshop paper

No comments:

Post a Comment