Comments on: Dynamic Security Skins http://usablesecurity.com/?p=40 Every system has a user. Thu, 17 May 2012 15:37:40 +0000 http://wordpress.org/?v=abc By: ClipperZ http://usablesecurity.com/?p=40#comment-2949 ClipperZ Sat, 08 Apr 2006 14:56:07 +0000 http://usablesecurity.com/2005/07/08/dynamic-security-skins/#comment-2949 <strong>Fight phishing with Dynamic Security Skins...</strong> Dynamic Security Skins or DSS emerged about one year ago and sparked some debate on several places. Some were critics of DSS because its effectiveness depended upon a widespread adoption both from browser developers and web site owners. It was unlikely... Fight phishing with Dynamic Security Skins…

Dynamic Security Skins or DSS emerged about one year ago and sparked some debate on several places. Some were critics of DSS because its effectiveness depended upon a widespread adoption both from browser developers and web site owners. It was unlikely…

]]> By: Ping http://usablesecurity.com/?p=40#comment-108 Ping Fri, 08 Jul 2005 15:03:59 +0000 http://usablesecurity.com/2005/07/08/dynamic-security-skins/#comment-108 There were a couple of audience questions about whether users or companies would have objections to a tool that alters the appearance of sites. Marketers might complain that it interferes with branding, for example. I think there's a worthwhile general question to be addressed about how to come up with solutions that are acceptable to the companies that have to implement them (banks, browser vendors, and possibly Internet service providers) as well as the users. It's tough to satisfy everybody. There were a couple of audience questions about whether users or companies would have objections to a tool that alters the appearance of sites. Marketers might complain that it interferes with branding, for example. I think there’s a worthwhile general question to be addressed about how to come up with solutions that are acceptable to the companies that have to implement them (banks, browser vendors, and possibly Internet service providers) as well as the users. It’s tough to satisfy everybody.

]]> By: Ping http://usablesecurity.com/?p=40#comment-107 Ping Fri, 08 Jul 2005 15:01:47 +0000 http://usablesecurity.com/2005/07/08/dynamic-security-skins/#comment-107 The talk compared DSS to the SiteKey and Petname schemes. SiteKey requires the user to select a secret image, which is shared with the server. The Petname toolbar requires the user to assign a label to the site, which is stored only locally. The concern with the SiteKey scheme is that, because the image is transmitted to the server, it is vulnerable to attack. The concern mentioned with both schemes is that the user is required to perform customization. However, I'm doubtful that user customization can be entirely avoided. I think part 1 of this scheme is a good idea. As long as the personal image is stored only locally and the user selects the personal image, this is a decent way of establishing a trusted path. My main issue with DSS is part 2. The matching patterns show that the connection is encrypted, but don't tell you anything about who you are talking to. This leaves you vulnerable to impersonation as with today's phishing attacks. The talk compared DSS to the SiteKey and Petname schemes. SiteKey requires the user to select a secret image, which is shared with the server. The Petname toolbar requires the user to assign a label to the site, which is stored only locally.

The concern with the SiteKey scheme is that, because the image is transmitted to the server, it is vulnerable to attack. The concern mentioned with both schemes is that the user is required to perform customization. However, I’m doubtful that user customization can be entirely avoided.

I think part 1 of this scheme is a good idea. As long as the personal image is stored only locally and the user selects the personal image, this is a decent way of establishing a trusted path.

My main issue with DSS is part 2. The matching patterns show that the connection is encrypted, but don’t tell you anything about who you are talking to. This leaves you vulnerable to impersonation as with today’s phishing attacks.

]]>