Trusted path (was: status of SRP)

leichter_jerrold at emc.com leichter_jerrold at emc.com
Mon Jun 5 12:45:17 EDT 2006 

| ...This is the trusted-path problem.  Some examples of proposed
| solutions to trusted-path are:
| 
|     - Dim the entire screen.
|     - Use special window borders.
|     - Use flashing window borders.
|     - Use specially shaped windows.
|     - Attach a warning label to all untrusted windows.
|     - Display a customized word or name.
|     - Display a customized image.
|     - Overlay a semitransparent customized image.
|     - Require the user to press a secure attention key.
|     - Require the user to click a customized button.
| 
| I'm interested in people's thoughts on what works better or
| might work better.  (Feel free to add to the list.)
I'm going to give a pessimistic answer here:  None of the above.

You're fighting the entire direction of development of display technologies
on end-user machines.  There are no fixed standards - everything is subject
to change and (we hope) improvement.  Applications regularly "improve on"
the standards, or imitate what others have done.

Use a specially shaped window?  Soon, other applications will start
imitating that as a flag for "important" data.  Customized images?  How
many people will set one.  And how hard will it be to fool them with a
nice-looking new app that tells you it has a whole library of images you
can use for your customized image?

There is simply no precedent for people making trust distinctions based on
user elements on the screen.  They see the screen as similar to a piece of
paper, and draw distinctions using the same kinds of rules we've
traditionally
applied to paper:  Does it look professionally done?  Is it well written?
Does it have all the right logos on it?  *None* of these are helpful on the
Web, but that doesn't change how people react.

The only "trusted path" most people ever see is the Windows Ctrl/Alt/Delete
to enter a password.  That's not a good example:  The *dialog* it produces
is indistinguishable from other Windows dialogs.  You should only trust it
to the degree that you know you typed Ctrl/Alt/Delete, and haven't yet hit
enter.  There's no way to generalize this.

This is a human factors issue.  You have to look at what people actually
use to make trust distinctions.  As far as I can see, the only thing that
will really work is specialized hardware.  Vendors are already moving in
this kind of direction.  Some are adding fingerprint scanners, for example.
However, any *generally accessible* device is useless - an attacker can
get at them, too.  What's needed is some physically separate device, with
a trusted path between it and something controlled.  A physical button,
with a small LCD near it, with enough room for a simple prompt, and you
are probably fine.  Make *that* "part of the browser chrome" and you have
something.
							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list