On Wed, 09 Sep 2009 15:42:34 +1000
"James A. Donald" <jam...@echeque.com> wrote:

> Steven Bellovin wrote:
> > Several other people made similar suggestions.  They all boil down
> > to the same thing, IMO -- assume that the user will recognize
> > something distinctive or know to do something special for special
> > sites like banks. 
> Not if he only does it for special sites like banks, but if
> "something special" is pretty widely used, he will notice when things
> are different.

We conducted a small-scale controlled user study -- it didn't work.
> > Peter, I'm not sure what you mean by "good enough to satisfy
> > security geeks" vs. "good enough for most purposes".  I'm not
> > looking for theoretically good enough, for any value of "theory";
> > my metric -- as a card-carrying security geek -- is precisely "good
> > enough for most purposes".  A review of user studies of many
> > different distinctive markers, from yellow URL bars to green
> > partial-URL bars to special pictures to you-name-it shows that
> > users either never notice the *absence* of the distinctive feature
> I never thought that funny colored url bars for banks would help, and 
> ridiculed that suggestion when it was first made, and said it was
> merely an effort to get more money for CAs, and not a serious
> security proposal
> The fact that obviously stupid and ineffectual methods have failed is 
> not evidence that better methods would also fail.
> Seems to me that you are making the argument "We have tried
> everything that might increase CA revenues, and none of it has
> improved user security, so obviously user security cannot be
> improved."
Not quite.  I'm not saying it "cannot be improved".  I'm saying that
controlled studies thus far have demonstrated none of the proposed
methods have worked, against fairly straight-forward new attacks.  And
if we've learned one thing over the last ten years, it's that the
attackers are as good as we are at what they do.  There's money to be
made and the market has worked its wonders: there is a demand for
capable hackers, and they're making enough money to attract good people.

What I am saying is twofold.  First -- when you invent a new scheme,
do a scientific test: does it actually help?  Don't assume that because
pure reason tells you it's a good idea, it actually is in the real
world.  Second -- you may very well be right that tinkering with the
password entry mechanisms cannot succeed, because users are habituated
to many different mechanisms and to login screens that regularly change
because some VP in charge of publicity has decided that the site's web
presence looks old-fashioned and needs to be freshened.  In that case,
we have to look at entirely different approaches.  (How many different
experiments will it take to convince people that you can't make gold by
mixing chemicals together?)

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to