Toward a More Secure Web - W3C Workshop on Usability and Transparency of Web Authentication
On March 15 and 16, 2006, W3C held a Workshop on Transparency and Usability of Web Authentication at the Citigroup Long Island Court Square building to identify steps W3C can take to improve Web Security from the user-facing end of the spectrum.
The Call for Participation had required participants to submit position papers. 41 position papers were received. Most Workshop participants came from the security and browser vendor, research, and online finance communities.
The workshop program was structured into seven sessions and an open discussion of next steps. Participants considered shortcomings in the usability of current browser-based authentication technologies. Requirements for and limitations of possible improvements were presented by a number of speakers. Approaches for concrete improvements that were presented included leveraging (secure) metadata; a number of proposals for changes to browser user interfaces and behaviors; protocol changes; and new approaches to identity online.
Based on the discussions at the workshop, W3C staff is currently engaging those present at the workshop and other W3C Members in discussions that may lead to working group charters in three areas: Form-filler support; Secure Chrome; and Secure Metadata.
The workshop was chaired by Dan Schutzer (FSTC) and Thomas Roessler (W3C). Citigroup hosted the workshop. Network connectivity for workshop participants was provided by Cisco.
Workshop Discussions
The first session served to introduce workshop particpiants to each other, and introduce some key concepts and requirements. Ian Fette from Carnegie Mellon University gave an introduction into basic principles of usable security, and illustrated how these principles match (or do not match) currently deployed technology for web authentication, and some proposed solutions. Key points identified by Fette include that usable security mechanisms must communicate with users on a level that is understandable by them; be designed to make it "hard" for users to commit serious mistakes; be usable from wherever the user is; be mindful of users' disabilities.
Dieter Bartl (SIZ) and Chuck Wade (FSTC) explored financial industry requirements. Bartl looked at current authentication features and identified reducing the technical possibilities for creating fakes, and more user-acceptable authentication features as key areas for change. Technologies to reduce possibilities for creating fakes could include agreement by browser manufacturers on parts of the browser chrome that cannot be manipulated by site-controlled scripting, or an optional higher-security less-rich browser mode. User-acceptable authentication could include different materials that might be shown to users. A more user-friendly representation of fingerprints was suggested. Wade reported on the results from FST'C's Better Mutual Authentication Project. As critical requirements, Usability, Mutuality, and Credibility (in the sense of the amount of trust that one party should assume the authentication claims of another party to have) were identified. Suggested areas for improvements included Usability of web security for persons; web security protocols; browser support for challenge-response dialogues with end users; changes to browser support for automated form entry and cookie management; digital certificates and PKI; and a comprehensive architectural framework for Web authentication that includes the final 2 feet between the user's screen and brain.
In the ensuing discussion it was agreed that the "lock icon" is a failure in many regards to providing any useful assurance to users. Several people spoke to the need for different levels of authentication, suited to the purpose, and the need to be able to delegate the least authority necessary for a purpose.
The second session looked at a broader perspective of the overall problem, and explored wider areas of discussion.
Jeffrey Nelson and David Jeske from Google's Accounts team explored Limits to Anti-Phishing. They identified cost of implementation and deployment, and the need for education as key barriers to adoption of current solutions. They outlined five principles for a possible solution: A trusted UI based on a shared secret; use of strong cryptography to protect authentication secrets; the need for clients effectively authenticating the servers they deal with; not revealing any cleartext passwords; and integration with existing password-based authentication mechanisms as users know them. A number of existing mechanisms were mapped against these criteria.
Drew Dean from Yahoo! discussed authentication requirements that arise from web services that are based on HTTP, such as mashups. Mashups typically involve the use of personal information stored at a third party. Often, such services need to ask for the third-party site's credentials. In this regard, they are indistinguishable from phishing attacks: They need to convince users to give up credentials that they should normally only give up in a different context. In order to accommodate mashups without the need to access users' passwords with other sites, three key requirements were identified: Pseudonymous delegation of partial rights; revocation upon a password change at the identity provider; and opaque identifiers for users.
Robert W Capps II from World Savings Bank started by noting that current authentication processes are weak at best. He observed that there is a failure of multiple parties in today's environment, including OS Providers, Browser Providers, Financial and Commerce Software Providers, Security Vendors, and Financial and Commerce Institutions. Capps identified the recent FFIEC guidelines as only a first step and suggested that, to move further towards an effective solution, these industries must partner to standardize business processes, consumer visible indicators, and credentials. He stressed the importance of long-term perspectives and on not securing just a single channel.
Following the presentations, questions arose about the general ability to spoof the appearance of web sites, and what defenses there might be to them. The tendency of end-users to not notice security features was a persistent problem. End-users were purported to be eager to give away personal information at the suggestion of the slightest reward. More discussion was held on the pros and cons of delegation. Trusted platform technology was raised as a possibile approach to prevent capture of keystrokes, etc. The desirability of sticking with passwords, as a familiar technique, versus more exotic authentication techniques not depending on user memory, was also debated.
This session collected approaches to solutions that gravitate around leveraging additional metainformation.
Phil Archer from ICRA introduced QUAPRO, an RDF vocabulary for trust marks designed by the QUATRO project. This vocabulary allows trustmark operators to offer machine-readable and -discoverable trustmarks, that can then be represented in the browser chrome -- i.e., outside the part of the browser user interface in which the web page proper is displayed --, instead of relying on image material that is transmitted inline.
Mary Ellen Zurko from IBM looked at users' perception of web sites' trustworthiness -- empirically based on factors such as ease of use, attractive design, predictability, and similar factors, but not on IT security properties --, and suggested the use of metadata as real-world authentication information that might be useful. In particular, a user's history with a site, reputation information from peers or trusted third parties, and the time line of such information, could be evaluated by user agents, and displayed. Personalization of user experiences could help to mitigate spoofing attacks.
Kenneth Wright II from World Savings Bank talked about mimicking the personal experience at a local bank branch online to enable users to successfully authenticate "their" banking site once authentication has successfully been finalized, by providing a personalized experience that can be based on users' transaction history. Audience discussion of this talk established a user-to-service authentication process that is secure against man-in-the-middle attacks as a prerequisite for using this kind of personalized experience as a factor in authenticating the service to the user.
Further discussion raised the possibility of preventing forged email, attacking the phishing problem at its root. Little progress was made in that direction. It was pointed out that use of personal metadata to help authentication only worked after the user had successfully contacted the authentic site the first time. The idea of having a rating system for pubic-keys was proposed. Behavior changes at banks in their email messages to customers, such as never including links and so informing the customers, might also help.
This session explored different approaches to browsers showing additional or different information to users.
Tyler Close from Hewlett-Packard introduced the Petname plugin for Firefox: Since differences between different domain names can be hard to spot (if at all, in the case of IDN homoglyph attacks), the petname plugin displays a nickname when known TLS sites are visited. The nickname is tied to information gained from the certificate used, and is not attached to any particular domain name.
Amir Herzberg from Bar Ilan University presented TrustBar, a plugin for Firefox that tests a number of possible anti-phishing changes in the browser chrome: A site identification widget displays logos (if present in an X.509 logoType extension, or assigned by users) or names (user-assigned or taken from certificates) of both sites and the CAs that issued TLS certificates. Herzberg also discussed directions for further work, including requirements for stronger certification practices and "public-protest certificates", and "single-click logon" to avoid user-entry of passwords.
Sebastian Gajek from Ruhr-University Bochum discussed the use of a "tamed down" browser configuration as a security mode, and introduced initial work on using such a well-understood browser security mode to do formal security proofs of SSL understood as a three-party-protocol executed between user, browser, and server. This better reasoning about the security protocol that is executed could then be relied upon by web sites to infer that users were securely authenticated, provided that servers can know whether the client's browser was running in a "tamed" security mode.
Phillip Hallam-Baker of Verisign, Inc presented Secure Internet Letterhead. This idea is to establish a new class of high grade identity certificates which are issued only upon careful inspection of the applicant, and backed by the public reputation of the Certificate Authority. The CA's brand would be displayed, promoting accountability, and thus trust. He outlined the needed changes in infrastructure to widely support this idea.
In the following discussion period, the importance of establishing trust in the CA brand, similar to credit card brands, was emphasized. Other discussion revolved around security techniques that assume a user works from one, or a few personal computers or devices, versus users who use public kiosks, etc.
Prasanta Behera and Naveen Agarwal of Yahoo!, Inc. presented A Confidence Model of Web Browsing. This technique exchanges some browser-specific metadata with a server to improve authentication, and includes a list of allowed and disallowed domains. Visual indication of verified connections are displayed.
Frederick Hirsch of Nokia presented a paper developed with Hubert A. Le Van Gong of Sun on Approaches to Simplify Server Authentication. Different protocols using identity providers for single signon were presented. The intent is to improve server authentication without over-burdening the client.
John Linn presented a paper jointly developed with Burt Kaliski, and Moti Yung, all of RSA Laboratories, and Magnus Nyström of RSA Security Inc. titled Applying Context to Web Authentication. The paper focussed on ways to reduce reusability of authenticator data, such as with destination-specific hashing, or time dependency. The importance of a trustworthy user interfaces was also discussed.
Andy Ozment and Stuart E. Schechter of MIT Lincoln Laboratory, and Rachna Dhamija of Harvard University discussed why Web Sites Should Not Need to Rely On Users to Secure Communications. This paper proposed a new Service Security Requirement (SSR) record in DNS, accessed using DNSSEC, to provide trusted information connecting the domain name with signed certificates. This solves man-in-the-middle attacks. Since this approach recommended the general move to HTTPS, questions involved the practicality of that move, especially in portable devices.
John Merrells of SXIP Identity Corp. presented the Simple extensible Identity Protocol (SXIP). The model involves "Membersites" which need authentication information, and "Homesites" which store such data. It uses a new Digital Identity Exchange URI (DIX) to facilitate authentication. The presentation included 85 slides which went by very quickly. This is being proposed to the IETF. This system is proposed for relatively low value transactions.
Kaliya Hamlin of Identity Commons presented a paper jointly developed with Phillip J. Windley of Brigham Young University called " Identity Rights Agreements and Provider Reputation". This addressed questions of managing the identity information you provide against the need for that information and your privacy rights. She proposed "Identity Rights Agreements" with a range of choices. The audience had several comments regarding the similarities between this proposal and P3P.
Michael Jones of Microsoft presented the Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution. Microsoft has implemented this in its InfoCard software. The system is built around model of Subjects, Identity Providers and Relying Parties. The technology is built on top of WS-* (Web Services) protocols.
In the general discussion that followed it was pointed out that different speakers used terminology around identity differently. There is a difference between identification and authentication. There was more discussion on retiring passwords as an authentication method and the possibility of spoofing systems such as InfoCard.
George Staikos of KDE spoke on Improving Internet Trust and Security. The presentation reviewed the numerous vulnerabilities of the Internet and web browsers. There is a dichotomy between fixing the Internet (for security) and breaking the Internet (for usability). He recommended coordinated action, rather than individual browsers implementing unique security approaches.
Mike Beltzner of the Mozilla Foundation outlined some of the security approaches coming in Firefox 2. He pointed out that people are using the plug-in architecture to experiment with solutions. He noted that the online world lacks the quality of "signals" people use in real life to establish trust.
Charles McCathieNevile of Opera presented "Security for Users and Browsers". He pointed out that there is one web, and that it must be accessible securely on a wide variety of devices in many environments. He, too, advocated for standardized solutions that could be implemented by all browsers.
In the question and answer session, several questions were on the topic of whether, when, and how the different browser developers share ideas. It appears that the answer is that there is very informal and occasional interaction (such as at meetings like this). There was some agreement that a better presentation of authentication information in the GUI was a good idea, but major GUI changes were not really supported. It was mentioned that if browsers offered more security features, then the content producers would need to change their websites to take advantage, which is not easy to get to happen.
The final session of the workshop explored possible next steps. It was introduced by Dan Schutzer, who summarized themes that had come up during the workshop: Strengthening of mutual authentication signals, and constraints on the re-use of authentication credentials; possible strengthening of paths against malware that may reside on clients; a safer browsing mode to minimize the likelihood of forgeries of indications and warning signs.
In the following audience discussion, participants stressed the importance of distinguishing between channel and usability improvements. Important work on channel improvements happens in the context of IETF work on HTTP, where rejuvenated interest can be observed. This work addresses a variety of HTTP use cases (including WebDAV, CalDAV, and others), and is not limited to the Web Browser context.
Even without touching the protocol level, markup could be introduced to help user agents fill in HTML forms that are used for authentication information - this markup could identify password fields, and could enable password management tools to automatically generate acceptable passwords. On the other hand, authentication dialogues that are implemented in the browser chrome were identified as a useful concept that, however, is badly implemented at this point. Directions for improvements in this area could include truly mutual authentication, and support for challenge-response protocols that are executed between the server and the use, as opposed to protocols that are executed between the server and the user's computer.
For useful mutual authentication, two approaches were distinguished: A light-weight environment, in which users learn about the identity of the party that they deal with through visual and context cues, and cryptographic mutual authentication protocols that ensure mutual authentication without the user's direct participation.
Participants identified turning off some dangerous browser functionalities as a critical step towards a safer browser interface. Browser vendors argued that this step must be carefully considered and coordinated, since it is liable to be perceived as jeopardizing content developers' investments, and, more generally, as "breaking the Web".
It was stressed that users must be able to tell when they are operating in a secured browsing environment.
From an interoperability perspective, participants suggested that better transparency of browser security features for content developers would be useful. The flip side of this would be the ability for web sites to activate security features, for example through metainformation that is exchanged during the TLS handshake, or through metainformation that is stored in DNS records. One participant suggested that web sites could learn about activated security features, and could warn users about unsafe configurations.
Secure labeling was discussed as an enabler for richer trust information ("this is a bank") that could be displayed to users, and identified as a topic that is related to prior work at W3C. At the same time, it was warned that such approaches should be useful for a broad variety of use cases, and should not be limited to online financial services.
W3C has set up a public mailing list where workshop participants and other interested parties discuss perpsectives for future work.
Some topics related to the workshop's discussions have recently been discussed on the public mailing list of the Technical Architecture Group:
W3C staff is currently engaging those present at the workshop and other W3C Members in discussions that may lead to working group charters in three of the areas areas listed above:
These topics are also being discussed on the workshop follow-up mailing list. The Advisory Committee will receive advance notices if and when drafts for charters are available. Such drafts will also be announced on the workshop mailing list.