Client Certificate UI for Chrome?

[Peter Gutmann]

Ian G <iang at systemics.com> writes:

>If one is trying to solve the whole thing, then using the much-commented
>secure-bookmarks model would do this.  Within the secure bookmark, record the
>user's certificate and cache enough info on the server's cert to deal with
>replacements (like, cert, name, CA).

There's a variant of this, the site-specific browser (SSB), that takes you to
(for example) your bank in a strongly sandboxed, hardened environment.  This
reduces the cognitive load on the user from a more or less impossible-to-
follow set of instructions to "only ever do your banking by clicking on this
desktop icon".  This isn't by any means a general solution, but by solving for
the most common cases (your bank, Paypal, eBay, Amazon) you'd address a fairly
large chunk of the problem.  See "Breaking out of the Browser to Defend
Against Phishing Attacks" by Smetters and Stewart for more details on this.

>Others have suggested some ideas, so I'll just add:  the problem isn't IMO
>how to do it.  There are lots of good ideas.

Actually that does point out one problem, which I alluded to in my previous 
post: we have lots and lots of good ideas, but little hard data to indicate 
which ones will work and which won't, or which ones work better than others 
(although the cynical response to this might be that almost anything would 
work better than what we've got now).  Specifically, there are a pile of 
papers along the lines of "here's an experiment showing that what we're doing 
now doesn't work, here's a completely new security mechanism we've invented 
that involves redesigning the browser and server authentication back-end, and 
as a side-effect here are some UI ideas to go with it".  What we don't have 
however is "here's a real-world evaluation of various ideas that have been 
proposed for fixing what we already have built into browsers and servers". 
Unfortunately without this data we (including myself) are to some extent just 
"people wanking around with their opinions" [0].

It's also not certain how such data would be published.  Which journal or
conference would accept a paper with no "new ideas" in it, just a
straightforward evaluation of existing material?

Peter.

[0] A Linus quote, brought about by a discussion on the difference between OS
secheduler design and security design: "the *discussion* on security seems to
never get down to real numbers. So the difference between them is simple: one
is 'hard science'. The other one is 'people wanking around with their
opinions'".

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com