Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Skins: Single Sign-On with Images

Posted by CmdrTaco on from the i'll-believe-it-when-they-deploy-it dept.

Appol writes "Berkeley researchers propose a Mozilla extension to stop phishing. They claim that users only need to remember one password and one image for their lifetime to securely log in to any number of sites. They also use uniquely generated visual hashes to "skin" trusted windows and webpages, which is harder to spoof than the SSL lock icon. To verify that the skin is legit, the user has to compare two images, which is easier for novices than verifying a certificate."

17 of 169 comments (clear)

  1. Finally by nizo · · Score: 5, Funny

    I knew a non-evil use for the goatse image would be found eventually. I might as well use that image, since it is burned into my brain forever anyway. Plus it has the added advantage of punishing shoulder surfers.

    --
    I Am My Own Worst Enemy
    1. Re:Finally by EnronHaliburton2004 · · Score: 4, Funny

      If I used that image, I would never, ever surf the web again.

      --
      94% of Repubs and 21% of Dems voted to renew the Patriot Act
  2. Natalie Portman? by ajiva · · Score: 4, Funny

    So we just have to visually confirm that Natalie Portman is hot? That's easy!

    1. Re:Natalie Portman? by kocovnik · · Score: 3, Funny

      I'm not sure what this image is supposed to prove. Am I not supposed to think that Natalie Portman sticking her hands down her pants is amazing? Or is it the other way around.

      --one confused Slashdot reader

    2. Re:Natalie Portman? by binarybum · · Score: 3, Funny

      Hey! Who the heck photoshoped me out of the picture where I was putting my hand down Natalie's pants!?

      --
      ôó
  3. Yes, this should work well! by Capt'n+Hector · · Score: 3, Funny

    Because when a webpage is spoofed, the skin will make it look like the gates of hell, and when it's legit, you see a kitten frolicking in a meadow.

    --
    Quid festinatio swallonis est aetherfuga inonusti?
    Africus aut Europaeus?
  4. Interesting. by MrAnnoyanceToYou · · Score: 5, Funny

    Graduate School at UC Berkeley : 100,00$
    Summer spent researching anti-spyware : 1,000$ after grants
    Doing the world a favor : 0$ in debt
    Getting publicity for doing the world a favor among those who care : See Below
    Having your .8 MB file downloaded 100,000 times in the course of twenty minutes, taxing your web server extensively because you set it up there as a PDF, making you look like mildly silly because you're DOING INTERNET RESEARCH : Priceless, except for the bandwidth.

    That said, it's quite an interesting approach. The notification style for a hash is quite an interesting idea.

    --
    My little site.
  5. What About Netcraft? by dshaw858 · · Score: 3, Insightful

    Isn't this a lot like Netcraft's new Anti-Phishing plugin? I'm glad that all these people are finally taking initiative against phishers, even though it's almost definitely due to the heightened media attention that phishing is currently getting.

    In practice though, I think the only way this would really work is if it's shipped by default in Firefox. The peoplen that would install this anti-phishing plugin aren't usually the people that would get tricked by phishing scams anyway.

    - dshaw

    Note: This is all IMO; and yes, I understand that some scams are so realistic that anyone could get caught in their webs.

  6. No to discriminate by a3217055 · · Score: 4, Insightful

    There are people who are blind what do they do ? Stare at the screen hoping there eye sight comes back?

    Not a good over all solution, you need a seperate medium/channel to display such pictures.

    1. Re:No to discriminate by Council · · Score: 3, Insightful
      There are people who are blind what do they do ? Stare at the screen hoping there eye sight comes back?

      Not a good over all solution, you need a seperate medium/channel to display such pictures.
      Don't be silly. The not-too-large group of blind heavy computer users (a group including two of my friends) has to develop seperate tools for this stuff, such as screen readers (if you want Linux tools, there are plenty) and the like. "You need a seperate medium/channel to display such pictures" . . . sounds kind of silly. A non-visual channel for displaying pictures? These pictures are useful only because they make use of the human visual processing center. Blind people will verify certificates with separate software tools piled on top of this. No more convenient than the current system for them, unfortuantely, but they're used to working around this kind of thing.

      Summary: The visual system is only useful because it's easy for people with sight to verify. Blind people will use separate tools, as they always have. Your objections don't seem to make that much sense.
      --
      xkcd.com - a webcomic of mathematics, love, and language.
  7. Been there, done that. by Anonymous Coward · · Score: 4, Funny

    I've always used the same password, "pa55w0rd", so this part is easy.

    Whoops, did I say that out loud? Good thing I didn't mention that my image is a kitten.

    Oh shoot...

  8. Re:Colourblind? by yotto · · Score: 4, Insightful

    *what if they're colour blind?*

    They'll pick a black and white image?

    --
    Pulp Audio Weekly - Geek News and Reviews
  9. What about cost? by The+Woodworker · · Score: 4, Interesting

    SSL certificates are pretty expensive for someone setting up a secure hobby website. You can go the route of FreeSSL, or generate your own, but this gives browser warnings/errors. I'm wondering how much this method would cost if you got it from GeoTrust/Thawte/etc. and what the lifetime of that would be (good for a year, two years, etc.)?

    As a side note, after 8 years of tech support, I find users trust what their browsers trust, and as long as people use browsers like IE and just click on email links, nothing will be secure at the users end.

    --
    Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
  10. Re:PDF Alert by Takara · · Score: 4, Funny
    I guess if you're reading this, it's likley too late...

    You must be new here.

  11. infected computer by tacroy · · Score: 4, Insightful

    I skimmed the article, and I noticed the adware section, but it didnt really answer my question: If the secure aspect is the local picture and the local picture needs to be pulled from the local machine by the page then what is to stop an adware program from grabbing that api and using the secure picture on a insecure site?

  12. mental images? by madaxe42 · · Score: 5, Funny

    Worse than goatse... http://slashdot.org/article.pl?sid=00/08/24/182322 5&tid=99&tid=16 -- seriously - what the hell????

  13. Stop Phishing? by protolith · · Score: 3, Insightful

    Dear valued ebay customer,

    You may be aware of a new technology to synch a picture with a web page to ensure it is legitimate, please click this link to download an executable to synch the picture you selected with our server to better provide you with secure transactions.

    Anyone that sees this as a phishing scam, doesn't need this technology, Anyone that does need this technology is just as likely to fall for this.