Comments on: Ka-Ping Yee on Phishing

By: Zooko

Zooko — Wed, 15 Feb 2006 17:14:17 +0000

Adam: The important distinction between passpet's "user assigned labels" and other things which might be called "nicknames" is that the attacker has no influence on the value of the label. Some on-line poker sites offer a feature of "sticky notes" which you can attach to a player and write notes into. If you encounter that player again in a future session, that sticky note and your original notes will reappear, attached to that player. It is important that the player to whom it is attached has zero influence on what information is entered into the sticky note. (Except, of course, inasmuch as he can influence what you choose to write.) The same principle applies to passpet's "user assigned labels". If the attacker gets to suggest something, such as by transmitting a "suggested nickname" which says that he is called "my b4nk", then much of the value is lost. This traditionally the distinction between "pet names" and "nicknames" [1, 2], but I've recently learned that people respond more favorably to the concept when it is presented in terms of "sticky notes" than in terms of "petnames". [1] http://www.skyhunter.com/marcs/petnames/IntroPetNames.html [2] http://www.erights.org/elib/capability/pnml.html

By: Ping

Ping — Sun, 12 Feb 2006 06:12:14 +0000

I agree that typing in a URL is harder to spoof. But it’s only harder to spoof once you’ve started doing it. That is, in either case, some user behaviour has to change in order to yield the improvement in security.

By: Adam

Adam — Fri, 10 Feb 2006 16:38:35 +0000

Hmm, i don’t know if I actually mean that “far” in “far harder.”

By: Adam

Adam — Fri, 10 Feb 2006 16:28:09 +0000

With regards to (1), my “type a URL and create a bookmark” approach is far harder to spoof. Perhaps Passpet could do something clever with knowing the difference between a typed URL and a clicked one, or use careful directions to bring them to the right site.
(3) becomes interesting mainly because of the FFIEC rules. If the bank knows something about how you’re managing your passwords, that may interact with those rules.

By: Ping

Ping — Thu, 09 Feb 2006 19:29:43 +0000

Thanks for the kind compliment.
Let’s see what i can do about addressing the issues you mentioned:
1. The user could be spoofed in the setup process. Well, yes. I think this is out of scope, though — i mean, you can’t expect any scheme to help you before you’ve actually started using it. In the setup process, the user is exactly as vulnerable as they are during any other login; Passpet gives them the opportunity to step into a safer usage pattern.
2. The user needs to install software. Yup. I concede that one. I don’t see any good way around this, because any password security tool has got to have a trustworthy piece of UI to interact with — it’s got to stand closer to you than any webpage can. At least, with Firefox, it’s pretty easy to install an extension.
3. The bank doesn’t get an indicator of password safety. This is an interesting point that i hadn’t even considered. How do you think it would affect banks if this indicator were or weren’t present?

By: Adam

Adam — Wed, 08 Feb 2006 22:31:47 +0000

Thanks, but I meant nicknames until someone explains to me why the user should have to understand the difference.

By: Anonymous

Anonymous — Wed, 08 Feb 2006 20:02:39 +0000

You say "It entails extending the browser to use nicknames". I think you meant petnames. See http://www.schneier.com/blog/archives/2006/02/petnames.html