Hi Anne/All, Thanks for the response. I think your use-case is slightly different then what I was going for, but perhaps I can extend my idea to cover a different aspect of yours. Just for clarity, if I understand correctly, the relationship between services like okta.com and google.com isn't what I'm addressing (sounds more OAuth'ish etc). Rather the relationship between you, your employer, and okta.com might be more in line with where I'm going, but still isn't really the primary case. Let me explain, in your case, you or your company IT department made a judgement call to trust okta.com with managing a business asset, business related accounts used for business purposes hosted by a third-party. Presumably your credentials to okta.com are a risk to the company if compromised. If a phisher sent you an email claiming to be okta.com with a link to a fake but believable hostname, say otka.com (see what I did there), you happen to click the link and are on the verge of providing your credentials, you are now in a situation where your perception of the hostname is the only indication to spark your skepticism and avoid compromise. Exactly the edge phishers hope for.
My vague idea is that the user agent should have the capability to notify you, the end-user, that there is no relationship between yourcompany.com and otka.com (the bad guy), perhaps in a similar manner that browsers today indicate a lack of integrity with regards to https verification failures. Instead of the user-agent labeling the bad guy as bad, it would be the opposite. When yourcompany.com formed the business relationship with okta.com it could perhaps share a bit of digitally signed data, say digitally sign the url to the login page (www.okta.com/yourcompany) and embed that in response. Then the user-agent would be able to notify you each time you log in that yourcompany.com authorized www.okta.com/yourcompany in an obvious enough manner for you to notice it missing when you clicked the phishing link. In a sense my hope is to label the good relationships as truthfully good, the user-agent constantly labels it as such, and then the hope is that typical end users can then be skeptical when the "this is the good guy" label is missing, enhancing human perception of good vs. evil. All of this is very specific, but in general, at the core, I think as orgs continue the trend of "outsourcing IT" there needs to be a way on the web to describe and authenticate the relationships in a manner that end-users and user-agents can digest. Making a lot of assumptions and going out on a limb here, but a fun little thought experiment, and look forward to continuing the brainstorm. Chris On Tue, Jan 13, 2015 at 1:09 AM, Anne van Kesteren <[email protected]> wrote: > On Mon, Jan 12, 2015 at 8:18 PM, Chris Hartmann <[email protected]> wrote: >> Should we solve this? Is it solved already? Could use help gelling or >> junking this idea. >> >> I have a few ideas on how this could be improved/implemented. > > I'd be interested to hear them. E.g. at work we started using > https://www.okta.com/ to login to a bunch of a services, including > e.g. Google services. It felt extremely phishy to give credentials to > okta.com to make use of a google.com service. > > > -- > https://annevankesteren.nl/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
