Wednesday, March 15, 2006

At the W3C Workshop on Security Usability

So far we have had introductions and the requirements session.

I already know 80% or so of the people in the room from previous standards meetings. What is interesting though is that there are people here from all the major consortiums. There are quite a few academics and W3C people as you would expect but we also have quite a large IETF contingent, many AntiPhishing WG people, people who worked on SAML in OASIS, people from the FSTC and so on.

The main message so far is that we have to 'get out of this rut' as the speaker just put it. We have to stop avoiding these problems as being too hard.

The detailed comments mostly reflect the consensus that the Web user interface is a disaster where security is concerned. Features were added to the Web with negligible thought for the security implications. The security interface itself is a poorly designed afterthought.

As expected from the position papers two tracks are emerging, roughly speaking inbound and outbound authentication. The phishing phenomena attacks both sides of the equation. The phishing email is a social engineering attack against the outbound authentication scheme (bank to user). The objective is to hijack the reverse authentication (user to bank) by stealling the password.

Some points I would like to raise here are: 1) This is not only about phishing, we should look at phishing as an example of an attack that is uncovering security vulnerabilities. 2) HTTP Digest auth did get quite a bit right, but the design was completely undercut by the downgrade attack to BASIC and Form submission. 3) Its not just about fraud, its about not making the user miserable when you don't have to. To access the WiFi I just had to type in a stupid 26 character string into a blind password form twice.

Cleanup: We are now getting to the question of what W3C can do. One set of tasks that seems to be quite clearly needed is some form of cleanup so that e.g. banks start encrypting their front page rather than as is common today having a non SSL front page with a form submission on it.

Automatic Form submission: All the web browsers offer to remember forms information. As a result there is a ridiculous amount of risky information embedded in the browser.

Multi-Factor Authentication: Quite a bit of discussion on this. Most of the comments are unsuprising. Just had a comment from Tyler that really points to the need for tiered access. I should be able to log into my brokerage account pretty easily to do research. This does not have the same degree of risk as trading or liquidating the account. I seem to remember there was a proposal in the FSTC paper that had three level access, A, B, C.

No comments: