<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-forward-container"><br>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08-Feb-17 8:39 AM, Bill Cox wrote:<br>
</div>
<blockquote
cite="mid:CAOLP8p7F+ARNUO1uH0XAPu-cfkjd2JCS=OBW0a9tpmDDT--S3A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Can you elaborate a bit on the
research? Did it cover the case where the picture is stored
on the client machine and the same picture is shown when
logging into for all web sites?</div>
</div>
</blockquote>
<br>
You kinda have to read the entire paper up to the end of section
3, to get the answer to this question.<br>
<br>
In a nut shell: your web browser has two personalities, one
friend, one foe. The foe is when your browser creates a
counterfeit website page. The friend is when your browser does
something that a remote website cannot do i.e. access local data.
For your browser to display local data is classic cryptography!
Local data are shared secrets. For your browser to show you an
image from the hard drive, an image that remote websites cannot
access, is your browser proving that you are NOT looking at a web
page created by Mallory, out there on the internet.<br>
<br>
<blockquote
cite="mid:CAOLP8p7F+ARNUO1uH0XAPu-cfkjd2JCS=OBW0a9tpmDDT--S3A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">I think a tool like that could be
built as a browser plugin, and it could use some simple
heuristics like Chrome does when it saves your passwords to
figure out when a user is on a login page.</div>
</div>
</blockquote>
<p><br>
</p>
<p>I would build it into the browser. I would let the website
creator decide when the window should appear.<br>
</p>
</div>
</body>
</html>