Security Skins: Single Sign-On with Images 169
Appol writes "Berkeley researchers propose a Mozilla extension to stop phishing. They claim that users only need to remember one password and one image for their lifetime to securely log in to any number of sites. They also use uniquely generated visual hashes to "skin" trusted windows and webpages, which is harder to spoof than the SSL lock icon. To verify that the skin is legit, the user has to compare two images, which is easier for novices than verifying a certificate."
Finally (Score:5, Funny)
Re:Finally (Score:2)
Re:Finally (Score:5, Funny)
Re:Finally (Score:2)
Sorta like browsing Slashdot before they introduced the "show link domains" feature.
I often forget to look at the status bar, which ironically, is partially what the article discusses.
mental images? (Score:5, Funny)
Buhh? (Score:1, Offtopic)
--grendel drago
Re:Finally (Score:3, Funny)
Natalie Portman? (Score:5, Funny)
Re:Natalie Portman? (Score:2, Funny)
Oh, really? [jackieandbender.com] (SFW, and Safe for eyes)
Re:Natalie Portman? (Score:3, Funny)
--one confused Slashdot reader
Re:Natalie Portman? (Score:4, Funny)
Re:Natalie Portman? (Score:2, Funny)
Confirmation complete!!
Did you seriously think that a picture of her with her hand down her pants was BAD?
Re:Natalie Portman? (Score:3, Funny)
Yes, this should work well! (Score:4, Funny)
Re:Yes, this should work well! (Score:1)
Gates of Hell? Bill doing the Goatse?
Interesting. (Score:5, Funny)
Summer spent researching anti-spyware : 1,000$ after grants
Doing the world a favor : 0$ in debt
Getting publicity for doing the world a favor among those who care : See Below
Having your
That said, it's quite an interesting approach. The notification style for a hash is quite an interesting idea.
Mmmmmm (Score:1)
(the "corned beef" version, not the "hippy crack" version)
PDF docs (Score:2, Offtopic)
I'd like to see an alternative next to the PDF download, a basic HTML version, or plain text. PDF is not as bad as flash, but I hate it when a website only has information in one format, and the format is
Re:PDF docs (Score:3, Insightful)
Of course, if you've already written the paper, it takes minimal effort to print/export it to PDF, whereas if you export to HTML you have to do all kinds of double-checking to make sure it's formatted correctly, and probably have to mess with the code some.
Plus, if you really are running that slow a system, it's possible whatever HTML they use *won't* quite be so universal. If you'r
Re:PDF docs (Score:2)
PDF sucks, but PDF and HTML are for *completely* different purposes. PDF is a *layout* format, its designed to fix high quality output to exact dimensions for printing.
HTML is a markup language meant to make low quality output accessable on a variety of platforms, formats.
Re:PDF docs (Score:2)
Re:PDF docs (Score:2)
Re:Interesting. (Score:2)
Re:Interesting. (Score:1)
Re:Interesting. (Score:2)
Re:Interesting. (Score:2)
As for HTML... that's fine for things that are only going on the web, but
PDF Alert (Score:1)
Re:PDF Alert (Score:2)
Thanks for the warning tho.
Re:PDF Alert (Score:4, Funny)
You must be new here.
Re:PDF Alert (Score:2)
You must be new here.
Re:PDF Alert (Score:2)
I must be new here.
Re:PDF Alert (Score:2)
Re:PDF Alert (Score:2)
Nobody needs or wants single sign-on... (Score:2, Insightful)
Re:Nobody needs or wants single sign-on... (Score:2)
People are highly visual, we can pick out a difference in a picture more subtle than a computer could do easily. more than that, when you go to pics instead of passwords you increase the data availible 1000x. You can hide a lot of keys in the dead space of the picture... and rotate it as much as you want behind the scenes of what the user sees.
What About Netcraft? (Score:4, Insightful)
In practice though, I think the only way this would really work is if it's shipped by default in Firefox. The peoplen that would install this anti-phishing plugin aren't usually the people that would get tricked by phishing scams anyway.
- dshaw
Note: This is all IMO; and yes, I understand that some scams are so realistic that anyone could get caught in their webs.
Funny (Score:2)
No to discriminate (Score:5, Insightful)
Not a good over all solution, you need a seperate medium/channel to display such pictures.
Re:No to discriminate (Score:4, Insightful)
Summary: The visual system is only useful because it's easy for people with sight to verify. Blind people will use separate tools, as they always have. Your objections don't seem to make that much sense.
Re:No to discriminate (Score:2)
And most screen readers do a bad job with symbols and stuff, but people who use the screen readers a lot just start to understand that COLONCLOSEPAREN means smiley. I mean, that one specifically some readers handle, but that kind of thing in general -- the person gets pretty used to i
Re:No to discriminate (Score:1)
Re:No to discriminate (Score:2)
Re:No to discriminate (Score:2)
Also (and somewhat related) I wonder how popular online banking is with the blind. I personally think I would prefer phone banking to internet, but my vision if fine so it is just a guess.
Sometimes I forget how much I take for granted.
Re:No to discriminate (Score:1, Funny)
Re:No to discriminate (Score:2, Funny)
There are people who are blind what do they do?
Use this [creative-settings.com] for their image?
MOD PARENT SIDEWAYS! (Score:1, Funny)
Re:No to discriminate (Score:2)
Re:No to discriminate (Score:2, Interesting)
They always depend on the soft- and hardware that was built to aid them in using computers. I know there are braille boards on wich they can "read" plain text. With the right software this can (and probably is) be used to get quite far with computer use.
I think for such handicaps, it would be easier and much more flexibel to use text as a visual confirmation in stead of images. This way it is much easier to make the software c
Re:No to discriminate (Score:3, Interesting)
This rocks.... (Score:1)
Re:This rocks.... (Score:3, Insightful)
A simple, elegant and workable solution... (Score:2)
Jolyon
Re:A simple, elegant and workable solution... (Score:2)
But who will actually download it? (Score:2, Funny)
Been there, done that. (Score:4, Funny)
Whoops, did I say that out loud? Good thing I didn't mention that my image is a kitten.
Oh shoot...
Re:Been there, done that. (Score:1)
What about cost? (Score:4, Interesting)
As a side note, after 8 years of tech support, I find users trust what their browsers trust, and as long as people use browsers like IE and just click on email links, nothing will be secure at the users end.
Re:What about cost? (Score:1)
Re:What about cost? (Score:2)
Good idea (Score:2, Insightful)
infected computer (Score:4, Insightful)
Re:infected computer (Score:2)
Unfortunately, the trend has been to allow the server to do ANYTHING to the user's browser. Pop-ups are the oldest and most ubiquitous I can think of(especially vile on-window-close pop-ups), though oth
Re:infected computer (Score:2)
If malware or spyware is installed on your computer, then yes this won't stop it. Then again, this malware can just keylog your password or do whatever else it wants. The point is that if your OS (or even just your browser) is compromised, then your online security is compromised. The only way to prevent this is to have a secure browser and
Whats really interesting (Score:2, Interesting)
Re:Whats really interesting (Score:1)
Re:Whats really interesting (Score:2)
It's also because no matter what you produce, there are a lot of weaknesses - like using an image when you're blind.
I saw two fradulent charges on my card last year - and they were resolved within a day or two of my reporting them. Unfortunately, I doubt they can do much against international fraud, given that t
Comparing pictures seems... Not a good idea (Score:2)
Didn't rtfa, can't rtfa becasue tfa a fpdf.
md5 style too? (Score:3, Interesting)
So when you download a file, they show you a picture of the expected visual-hash. When the file finishes, you take a quick look at the visual-hash your computer just generated, and see if they match.
Similarly for all secure websites and key exchanges. When you SSH into a server, why not show an image (or ASCII art if you prefer) based on its unique key? I think anti-phishing is just one of many usese for this kind of technology.
Re:md5 style too? (Score:1)
Any image can be converted into a string (concatinating the RGB values of each pixel of the image). Comparing two strings is an exact science, while having a user visually compare two pictures is considerably more dangerous. If the application converts the expected and resultant pictures to strings, and then compares them, the result is exact. Obviously, you could then re
Re:md5 style too? (Score:2)
But sometimes a user is put in a situation where they must judge whether something is secure and/or authentic.
For instance, if I'm logging into a server from a terminal I've never used before, I want some way to verify that the server I've contacted is the real deal. As described in TFA, an exchange could occur, with a visual image being generated based on the exchange. If the visual imag
Re:md5 style too? (Score:2)
Another one is a paper [psu.edu] (reference 31 in TFA) that discusses hash visualization, i.e. generating random visual images based on unique strings/numbers/hashes.
I think there is alot of
Re:md5 style too? (Score:2)
My vaporware email client displays messages with visually distuinguishing marks. Imagine a zoomed out view with a rectangle representing each email. Many things could be varied such as position of the rectangle, color, border color, border style, shape, size, and many more. A clever email client could make it easy to identify messages at a glance. All messages from "bob" could have a few features always the same, so new messages from "bob" could be easily spotted. All messages from the "foobar" mailing
Lotus Notes (Score:2)
Finally a use for the brush metal theme (Score:2)
I don't hate brushed metal but I am frustrated by the seemingly arbitrary application of it.
Portability (Score:2)
A username / password to connect to a website can be used from any browser that can connect to the website.
But using a salted hash like the SRP scheme they are talking about would require you either creating a new account from each browser you wanted to use, or moving the existing salt to each browser. Otherwise it wouldn't generate a matching hash, and would fail to verify.
And creating multiple sets of auth
Generated passwords solve this problem better (Score:2)
It's more secure, too. Software isn't fooled by Unicode character set spoofing -- two Unicode characters may render to the same glyph in a
Re:Generated passwords solve this problem better (Score:2)
Stop Phishing? (Score:3, Insightful)
You may be aware of a new technology to synch a picture with a web page to ensure it is legitimate, please click this link to download an executable to synch the picture you selected with our server to better provide you with secure transactions.
Anyone that sees this as a phishing scam, doesn't need this technology, Anyone that does need this technology is just as likely to fall for this.
For the PDF haters and mirror requests... (Score:2)
Single password not hard to acheive without risk. (Score:2)
I just thought I would share how I would implement a very simple unified password system on the web without any risk of your password being stolen, either by dodgy webmasters or by man in the middle attack. I have no idea if it is original but seems near flawless to me and I'm going to implement it on my sit
Re:Single password not hard to acheive without ris (Score:3, Insightful)
But what the hell - send them all new ones by e-mail.
If the site changed domain the user would have to re-register, or at least visit the site and provide a new hash, I don't see any way around that.
The other thing, of course, is that this relies on user co-operation to install new software, and also implies complete trust in that software. If you're going to force people to install new software, why not just use personal certificates? You also missed a vulnerability - the
Re:Single password not hard to acheive without ris (Score:3, Interesting)
Change of uri/domain -
A fairly uncommon event for most well established websites (obviously not torrent sites
Re:Single password not hard to acheive without ris (Score:2)
I don't get it. (Score:2)
1. Instead of showing a little lock icon when you connected securely and the certificate was OK, it displays an abstract pattern across your entire browser window.
How does this prevent phishing attacks? If a user goes to URL www.criminals.com and the certificate is for www.criminals.com, then you'll get the OK image. All that crminials.com has to do is figure out a way to get that certificate signe
Acutrust is a better method (Score:2, Interesting)
Acutrust FAQ http://www.isblanket.com/services/online/acutrust/ faq/ [isblanket.com]
My four year old has got it licked! (Score:2)
It's like a dream finally come true!
- Zarq
Re:Colourblind? (Score:5, Insightful)
They'll pick a black and white image?
Re:Colourblind? (Score:2, Interesting)
Re:Colourblind? (Score:2)
Re:Colourblind? (Score:1)
Goatse in ASCII [glandscape.com]
Re:Colourblind? (Score:1)
The grandparent's critique was in no way a valid criticism. It was like criticizing a technology that would improve automobile safety because some people are, unfortunately, bedridden.
Re:Colourblind? (Score:2)
captcha variants (Score:2)
Bologna. What do you think email address "spamblock" is? What about a noisy/distorted audio clip instead of an image? Non-visual captcha variants can work.
Re:why? (Score:2)
Re:why? (Score:2)
For god's sake, use the TargetAlert extension for FireFox, one of my favourite ~dozen. You'll allways know what you click on.
Re:why? (Score:2)
Re:Slow PDF (Score:2)
Re:Slow PDF (Score:1)
If you try to guess the document type by, looking at dot extenson appened to the name, you can't, the same Way Internet Explorer fail to know the proper content type. Then it leads to all those security concerns.
You realy should not try hard guessing document types based on labels or URI.
Until status bars tells us about the real document mime types...
Re:Slow PDF (Score:2)
You're in luck (Score:1)
Targetalert, a Firefox extension that shows a little icon next to links giving an indication of what the target is (pdf, word, excel, ppt, zip, email, xml).