From tyler.close at gmail.com Wed Mar 1 12:14:04 2006 From: tyler.close at gmail.com (Tyler Close) Date: Wed Mar 1 11:14:37 2006 Subject: [Petname] Negative pattern for petnames In-Reply-To: <9674d5350602271357o473a267dv83c1f79739c236ec@mail.gmail.com> References: <9674d5350602271357o473a267dv83c1f79739c236ec@mail.gmail.com> Message-ID: <5691356f0603010814t7fa17bfi12da858129801688@mail.gmail.com> Hi Brian, > A friend pointed me to petnames and Petname Tool. A much better (and > more general) solution to the system I came up with earlier! Thanks for the back pats. It's always nice to get some positive feedback. > I've > been using it for a while, and it is extremely useful! I do think it > suffers slightly from the user's "zoning out" and not paying attention > to the petname bar. For example, i try to log into paypal via a link > i've followed, and it just remains white and says untrusted. There is > no change in state that catches my eye, so i don't notice that > something is up. A good way to help with the "zoning out" problem is to let your web browser help you zone out even further, by which I mean using the Firefox password manager. If you make a habit of using the password manager, you'll be jolted out of your customary login habits when the username and password fields are not autofilled for you. Hopefully this loss of functionality will then cause you to look up at the petname tool to realize that you've landed on a phishing site. > It would be wonderful if petname tool could associate patterns or > keywords with a given petname, such that a warning could be displayed > if the site is untrusted. For example, a pattern for my "small > payments" paypal.com petname would be a site that has a form and > mentions "paypal" and "login". If this "pattern" was found on a page, > and the current certificate does not match the cert for my petname, a > warning would be displayed in red in the petname box. This would > catch my eye, and alert to me of potential phishiness. > > Has a technique such as this been discussed on this list? Patterns > for well known sites could be developed and shared. Thoughts? I am skeptical of this approach. It looks like an arms race with the phishers, where the phishers have the upper hand. The defense is also a reactive one, where the pattern developers will always be playing catch-up with the latest from the phishers. Not a happy place to be. Since it's an arms race, there will be many points in time where the phishers are ahead of the game and the tool fails to detect phishing attacks. Every time this happens, users will lose faith in the viability of the warnings. After enough successful attacks, the warnings may be ignored. I think a better approach is encouraging more reliance on the browser's password manager. Thanks for the feedback, Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ Name your trusted sites to distinguish them from phishing sites. https://addons.mozilla.org/extensions/moreinfo.php?id=957