Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

Yoav Nir <ynir@checkpoint.com> Mon, 13 December 2010 15:49 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: apps-discuss@core3.amsl.com
Delivered-To: apps-discuss@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D15E28C0FB; Mon, 13 Dec 2010 07:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.673
X-Spam-Level:
X-Spam-Status: No, score=-9.673 tagged_above=-999 required=5 tests=[AWL=0.926, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zflb53p1RFGT; Mon, 13 Dec 2010 07:49:16 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id D009628C0E4; Mon, 13 Dec 2010 07:49:15 -0800 (PST)
X-CheckPoint: {4D0640DD-4-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oBDFooSV009459; Mon, 13 Dec 2010 17:50:50 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 13 Dec 2010 17:50:50 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Mon, 13 Dec 2010 17:50:52 +0200
Thread-Topic: [saag] [websec] [kitten] [apps-discuss] HTTP authentication: the next generation
Thread-Index: Acua3YNg2kbXw68wS5e96OwOd0Ko4A==
Message-ID: <878FA115-D801-4063-AD87-DB2C2B2DE0D1@checkpoint.com>
References: <4D02AF81.6000907@stpeter.im> <p06240809c928635499e8@[10.20.30.150]> <ADDEC353-8DE6-408C-BC75-A50B795E2F6C@checkpoint.com> <78BD0B98-0F20-478B-85F1-DBB45691EB0D@padl.com> <4D0479E3.4050508@gmail.com> <4D04D7D6.4090105@isode.com> <A23730A9-728B-4533-96D7-0B62496CC98A@checkpoint.com> <4D051731.1020400@isode.com> <4D054041.7010203@cisco.com> <0435D11C-DF55-464D-B23F-F5D114DEE2C3@checkpoint.com> <2229.1292235952.971571@puncture> <4D05FB8F.3070804@qbik.com> <2229.1292239384.281779@puncture> <96517E19-5DC7-47A0-8C21-C710F6F8F772@tzi.org> <5D5AF795-22AB-4726-B791-3706693466C3@checkpoint.com> <4D063CA5.8060907@gmail.com>
In-Reply-To: <4D063CA5.8060907@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 13 Dec 2010 09:51:21 -0800
Cc: "Common@core3.amsl.com" <Common@core3.amsl.com>, protocols <apps-discuss@ietf.org>, websec <websec@ietf.org>, -, General, Generation <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 15:49:17 -0000

On Dec 13, 2010, at 5:32 PM, Yaron Sheffer wrote:

> Just like the phrase "I am not a lawyer" is always followed by amateur 
> legal advice (I know that for sure, I've done it myself), the same goes 
> for "I am not a UI expert".
> 
> Two comments:
> 
> - There are in fact a few security-usability experts. I don't know if 
> any of them participate in the IETF. This is an emerging research field, 
> see e.g. http://oreilly.com/catalog/9780596008277.
> 
> - (I am not a UI expert, but...) Devising UI cues is extremely 
> difficult. People will gladly enter their password when the web site 
> displays a JPEG-rendered padlock icon.

I don't know how to stop them, unless the "special" UI cue becomes so ubiquitous, that its absence causes the user to think, "wait a minute. This does not look like authentication!"

As long as every website has authentication that looks different and not different enough from regular web browsing, people are going to accept any web form as a legitimate authentication dialog.

> In fact *legitimate* sites have 
> been known to display such icons, strange as it may sound.
> 
> Thanks,
> 	Yaron