<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09-Feb-17 11:04 AM, Ben Tasker
wrote:<br>
</div>
<blockquote
cite="mid:CABMkiz79XL+-67vNxexi9YspVYS=jQEFAa0G+Fq3z8OXWr=8-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>If I was implementing this, I'd probably tie the image
to something in the site's certificate (whether that's a
hash of the pub key or whatever), so the first time you
hit a https site you'd need to be prompted to set a
memorable image. So even if I've set for <a
moz-do-not-send="true" href="http://fidelity.com">fidelity.com</a>
I'd get a prompt when I hit <a moz-do-not-send="true"
href="http://fidelity.biz">fidelity.biz</a></div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Mostly I agree with all this but I'll just clarify some stuff. The
image could be chosen when your browser is updated to implement the
solution. There is no link to individual internet addresses. Once
the browser verifies the digital signature, you get fig 1 with info
from inside the TLS certificate.<br>
<br>
<blockquote
cite="mid:CABMkiz79XL+-67vNxexi9YspVYS=jQEFAa0G+Fq3z8OXWr=8-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>The problem with that, of course, is when people switch
browsers, the image isn't going to be there, and (combined
with possible bugs causing you to have to re-set it)
people are going to get complacent and just reset the
image when they hit <a moz-do-not-send="true"
href="http://fidelity.biz">fidelity.biz</a>, defeating
the point.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Yes. I guess the solution should be implemented on an account level.
So any browser hitting TLS will ask the operating system for the
image.<br>
<br>
<blockquote
cite="mid:CABMkiz79XL+-67vNxexi9YspVYS=jQEFAa0G+Fq3z8OXWr=8-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> (to avoid the prompt on sites that don't require it),
but then <a moz-do-not-send="true"
href="http://fidelity.biz">fidelity.biz</a> would just
omit it from their cert and we'd be back to relying on the
user noticing that something's missing.</div>
</div>
</div>
</div>
</blockquote>
<br>
Cool, you're getting it! Yes, I agree, sites would request the login
screen. They would never be able to get the image, but they can ask
your browser to show it to you.<br>
<br>
<blockquote
cite="mid:CABMkiz79XL+-67vNxexi9YspVYS=jQEFAa0G+Fq3z8OXWr=8-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>I've only skimmed the paper, but to be honest, I think
you'd almost get equal benefit (and setup annoyance) from
having the browser inject a big red "WARNING: YOU'VE NEVER
VISITED THIS SITE BEFORE" when you visit a new https site
for the first time. That at least has the advantage of
having something the user can see, rather than the absence
of something they usually see.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Excellent!!! That warning is local knowledge, just like the image.
It fits the definition of a secret shared between you and your web
browser. So, you are correct i.e. your suggestion is consistent with
my paper's findings.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p><br>
</p>
</body>
</html>