Client Certificate UI for Chrome?

Steven Bellovin smb at
Sun Sep 6 20:12:37 EDT 2009

On Sep 3, 2009, at 12:26 AM, Peter Gutmann wrote:

> Steven Bellovin <smb at> writes:
>> This returns us to the previously-unsolved UI problem: how -- with  
>> today's
>> users, and with something more or less like today's browsers since  
>> that's
>> what today's users know -- can a spoof-proof password prompt be  
>> presented?
> Good enough to satisfy security geeks, no, because no measure you  
> take will
> ever be good enough.  However if you want something that's good  
> enough for
> most purposes then Camino has been doing something pretty close to  
> this since
> it was first released (I'm not aware of any other browser that's  
> even tried).
> When you're asked for credentials, the dialog rolls down out of the  
> browser
> title bar in a hard-to-describe scrolling motion a bit like a  
> supermarket till
> printout.  In other words instead of a random popup appearing in  
> front of you
> from who knows what source and asking for a password, you've got a  
> direct
> visual link to the thing that the credentials are being requested  
> for.  You
> can obviously pepper and salt this as required (and I wouldn't dream  
> of
> deploying something like this without getting UI folks to comment  
> and test it
> on real users first), but doing this is a tractable UI design issue  
> and not an
> intractable business-model/political/social/etc problem.

Several other people made similar suggestions.  They all boil down to  
the same thing, IMO -- assume that the user will recognize something  
distinctive or know to do something special for special sites like  
banks.  Both, to me, are unproven assumptions.  Worse yet, both the  
security literature and what I've seen of user behavior strongly  
suggest to me that neither scenario is true.

Peter, I'm not sure what you mean by "good enough to satisfy security  
geeks" vs. "good enough for most purposes".  I'm not looking for  
theoretically good enough, for any value of "theory"; my metric -- as  
a card-carrying security geek -- is precisely "good enough for most  
purposes".  A review of user studies of many different distinctive  
markers, from yellow URL bars to green partial-URL bars to special  
pictures to you-name-it shows that users either never notice the  
*absence* of the distinctive feature or are fooled by a tailored  
attack (see, e.g., the paper on picture-in-picture attacks).  Maybe  
Camino is really better -- or maybe it just hasn't been properly  
attacked yet, say by a clever flash animation or some AJAX weirdness.   
Given the failure of all previous attempts -- who, amongst the  
proponents of EV certificates, realized that attackers could and would  
use all-green favicon.ico files to fool users -- I think the burden of  
proof is on the proponents.

		--Steve Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list