Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

Security Skins: Single Sign-On with Images 169

Posted by CmdrTaco from the i'll-believe-it-when-they-deploy-it dept.
Appol writes "Berkeley researchers propose a Mozilla extension to stop phishing. They claim that users only need to remember one password and one image for their lifetime to securely log in to any number of sites. They also use uniquely generated visual hashes to "skin" trusted windows and webpages, which is harder to spoof than the SSL lock icon. To verify that the skin is legit, the user has to compare two images, which is easier for novices than verifying a certificate."
This discussion has been archived. No new comments can be posted.

Security Skins: Single Sign-On with Images More

Security Skins: Single Sign-On with Images

Comments Filter:

  • Nobody needs or wants single sign-on... (Score:2, Insightful)

    by Anonymous Coward on Thursday May 26, 2005 @01:44PM (#12647041)
    ...whether Passport or some open-source solution. The task of typing some stuff into a form field is not so onerous we need a complicated solution for a non-problem. Most browsers support various ways to locally remember form fields that take care of these problems simply. And this wont stop phishing.

  • What About Netcraft? (Score:4, Insightful)

    by dshaw858 ( 828072 ) on Thursday May 26, 2005 @01:44PM (#12647043) Homepage Journal
    Isn't this a lot like Netcraft's new Anti-Phishing plugin? I'm glad that all these people are finally taking initiative against phishers, even though it's almost definitely due to the heightened media attention that phishing is currently getting.

    In practice though, I think the only way this would really work is if it's shipped by default in Firefox. The peoplen that would install this anti-phishing plugin aren't usually the people that would get tricked by phishing scams anyway.

    - dshaw

    Note: This is all IMO; and yes, I understand that some scams are so realistic that anyone could get caught in their webs.

  • No to discriminate (Score:5, Insightful)

    by a3217055 ( 768293 ) on Thursday May 26, 2005 @01:45PM (#12647054)
    There are people who are blind what do they do ? Stare at the screen hoping there eye sight comes back?

    Not a good over all solution, you need a seperate medium/channel to display such pictures.

  • Re:Colourblind? (Score:5, Insightful)

    by yotto ( 590067 ) on Thursday May 26, 2005 @01:46PM (#12647081) Homepage
    *what if they're colour blind?*

    They'll pick a black and white image?

  • Re:No to discriminate (Score:4, Insightful)

    by Council ( 514577 ) <rmunroe@gmaPARISil.com minus city> on Thursday May 26, 2005 @01:51PM (#12647132) Homepage
    There are people who are blind what do they do ? Stare at the screen hoping there eye sight comes back?

    Not a good over all solution, you need a seperate medium/channel to display such pictures.
    Don't be silly. The not-too-large group of blind heavy computer users (a group including two of my friends) has to develop seperate tools for this stuff, such as screen readers [freedomscientific.com] (if you want Linux tools, there are plenty) and the like. "You need a seperate medium/channel to display such pictures" . . . sounds kind of silly. A non-visual channel for displaying pictures? These pictures are useful only because they make use of the human visual processing center. Blind people will verify certificates with separate software tools piled on top of this. No more convenient than the current system for them, unfortuantely, but they're used to working around this kind of thing.

    Summary: The visual system is only useful because it's easy for people with sight to verify. Blind people will use separate tools, as they always have. Your objections don't seem to make that much sense.

  • Re:This rocks.... (Score:3, Insightful)

    by nizo ( 81281 ) * on Thursday May 26, 2005 @01:51PM (#12647133) Homepage Journal
    Using an SO would be a bad idea; if you ever break up just think about how dumb you would feel if you ever find another significant other (sort of like an online version of the embarassing tattoo). Better to pick a cute puppy or something like that instead.

  • Good idea (Score:2, Insightful)

    by apathyonline ( 886926 ) on Thursday May 26, 2005 @02:00PM (#12647219) Homepage Journal
    That sounds like a good idea. However, it may be like asking the average citizen to spot counterfiet money. And after a few times of being asked to compere images, the user may get annoyed and every time afterward, they will just confirm everything to get done quickly.

  • Re:PDF docs (Score:3, Insightful)

    by porcupine8 ( 816071 ) on Thursday May 26, 2005 @02:00PM (#12647226) Journal
    I don't understand why so many places use PDF when it is not that hard to write the HTML to make a document look as nice.

    Of course, if you've already written the paper, it takes minimal effort to print/export it to PDF, whereas if you export to HTML you have to do all kinds of double-checking to make sure it's formatted correctly, and probably have to mess with the code some.

    Plus, if you really are running that slow a system, it's possible whatever HTML they use *won't* quite be so universal. If you're using an old browser that doesn't render tables quite right or somesuch, the HTML might just be a bigger hassle.

  • infected computer (Score:4, Insightful)

    by tacroy ( 813477 ) on Thursday May 26, 2005 @02:03PM (#12647266)
    I skimmed the article, and I noticed the adware section, but it didnt really answer my question: If the secure aspect is the local picture and the local picture needs to be pulled from the local machine by the page then what is to stop an adware program from grabbing that api and using the secure picture on a insecure site?

  • Stop Phishing? (Score:3, Insightful)

    by protolith ( 619345 ) on Thursday May 26, 2005 @04:05PM (#12648408)
    Dear valued ebay customer,

    You may be aware of a new technology to synch a picture with a web page to ensure it is legitimate, please click this link to download an executable to synch the picture you selected with our server to better provide you with secure transactions.

    Anyone that sees this as a phishing scam, doesn't need this technology, Anyone that does need this technology is just as likely to fall for this.

  • Re:Single password not hard to acheive without ris (Score:3, Insightful)

    by radish ( 98371 ) on Thursday May 26, 2005 @04:38PM (#12648762) Homepage
    I'm with you until this bit:

    But what the hell - send them all new ones by e-mail.

    If the site changed domain the user would have to re-register, or at least visit the site and provide a new hash, I don't see any way around that.

    The other thing, of course, is that this relies on user co-operation to install new software, and also implies complete trust in that software. If you're going to force people to install new software, why not just use personal certificates? You also missed a vulnerability - the hashes given to the webserver include a reasonable amount of known (and specified) plain text. This makes an attack of the hash algorithm much easier. Given the value of discovering the master password (it will unlock the users entire online life, including banks etc) it's not hard to imagine people committing serious resources to breaking the hashes.

    All of this reminds me of Schneier's Law:
    "any person can invent a security system so clever that she or he can't think of how to break it."

    I'm not saying I can think of a way of breaking it, but personally I'd go with something well tested in the real world.

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close