On Sep 3, 2009, at 12:26 AM, Peter Gutmann wrote:
This returns us to the previously-unsolved UI problem: how -- with
today's
users, and with something more or less like today's browsers since
that's
what today's users know -- can a spoof-proof password prompt be
presented?
Good enough to satisfy security geeks, no, because no measure you
take will
ever be good enough. However if you want something that's good
enough for
most purposes then Camino has been doing something pretty close to
this since
it was first released (I'm not aware of any other browser that's
even tried).
When you're asked for credentials, the dialog rolls down out of the
browser
title bar in a hard-to-describe scrolling motion a bit like a
supermarket till printout....
I'm not sure what version of Camino you're running. The most recent
versions use a standard Mac OS GUI element to prompt for passwords -
it's indistinguishable from what you get from Safari. In both cases,
a special prompt window scrolls down out of the chrome, covering some
of the main body of the window. It has a distinctive look: After
it's scrolled down, it appears to be "under" the chrome but over the
top of the body. In Safari - I didn't experiment with Camino - it's
physically tied to the browser window, moving and iconifying with it,
and is fully modal at the window level - you can't switch to another
tab in the same window. (Curiously, you *can* switch to a different
window.) The "loading" indicator in the address bar remains active
while you're being prompted. The *intent* is clearly to create
something hard to spoof, but I don't know enough Flash to say if one
could produce an accurate, or even plausible, fake. (Of course,
*most* passwords on the Web are entered into some random web page. A
distinctive secure prompt that only appears in a minority of cases
doesn't help much.)
The most common MacOS password prompts are from the keychain program,
since you typically store your passwords there. (There are
configurations in which it just asks for permission, not for a
password; and configurations in which it just sends the password. But
if you want to be careful, you only want keychains unlocked when you
intend to use them.) Since *any* program - including programs with no
visible GUI - can use keychains, these prompts are necessarily stand-
alone windows at least sometimes (and for uniformity, they are so all
the time). Those could be spoofed more easily (though if you're
really cautious, you can unlock the necessary keychain by hand ahead
of time and arrange to just give permission to use the entry later, so
you're never entering your password into a window that just pops up on
its own).
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
