Security Skins: Single Sign-On with Images

Appol writes "Berkeley researchers propose a Mozilla extension to stop phishing. They claim that users only need to remember one password and one image for their lifetime to securely log in to any number of sites. They also use uniquely generated visual hashes to "skin" trusted windows and webpages, which is harder to spoof than the SSL lock icon. To verify that the skin is legit, the user has to compare two images, which is easier for novices than verifying a certificate."

Finally

[nizo]

I knew a non-evil use for the goatse image would be found eventually. I might as well use that image, since it is burned into my brain forever anyway. Plus it has the added advantage of punishing shoulder surfers.

Re:Finally

[EnronHaliburton2004]

If I used that image, I would never, ever surf the web again.

Natalie Portman?

[ajiva]

So we just have to visually confirm that Natalie Portman is hot? That's easy!

Interesting.

[MrAnnoyanceToYou]

Graduate School at UC Berkeley : 100,00$
Summer spent researching anti-spyware : 1,000$ after grants
Doing the world a favor : 0$ in debt
Getting publicity for doing the world a favor among those who care : See Below
Having your .8 MB file downloaded 100,000 times in the course of twenty minutes, taxing your web server extensively because you set it up there as a PDF, making you look like mildly silly because you're DOING INTERNET RESEARCH : Priceless, except for the bandwidth.

That said, it's quite an interesting approach. The notification style for a hash is quite an interesting idea.

No to discriminate

[a3217055]

There are people who are blind what do they do ? Stare at the screen hoping there eye sight comes back?

Not a good over all solution, you need a seperate medium/channel to display such pictures.

Been there, done that.

I've always used the same password, "pa55w0rd", so this part is easy.

Whoops, did I say that out loud? Good thing I didn't mention that my image is a kitten.

Oh shoot...

Re:Colourblind?

[yotto]

*what if they're colour blind?*

They'll pick a black and white image?

What about cost?

[The+Woodworker]

SSL certificates are pretty expensive for someone setting up a secure hobby website. You can go the route of FreeSSL, or generate your own, but this gives browser warnings/errors. I'm wondering how much this method would cost if you got it from GeoTrust/Thawte/etc. and what the lifetime of that would be (good for a year, two years, etc.)?

As a side note, after 8 years of tech support, I find users trust what their browsers trust, and as long as people use browsers like IE and just click on email links, nothing will be secure at the users end.

Re:PDF Alert

[Takara]

I guess if you're reading this, it's likley too late...

You must be new here.

infected computer

[tacroy]

I skimmed the article, and I noticed the adware section, but it didnt really answer my question: If the secure aspect is the local picture and the local picture needs to be pulled from the local machine by the page then what is to stop an adware program from grabbing that api and using the secure picture on a insecure site?

mental images?

[madaxe42]

Worse than goatse... http://slashdot.org/article.pl?sid=00/08/24/182322 5&tid=99&tid=16 -- seriously - what the hell????