Making the Web a More Secure Place

The current phishing attempts are ludicrously easy to mount, and they are this ludicrous because the current web’s security model is fundamentally broken.

If Joe Q. Random discovers a new site (maybe a forum site dedicated to discussing cats — Mr. Random is a big cat afficionado), he needs to create an account. He creates a username, and a password, and will be asked to supply an e-mail address to confirm the registration. Random does so.

Now, all someone needs to do to get Random’s credentials is to fake a Realistic Mail from saying “someone has responded to your message. Click <here> to read the reply.” Random clicks, and is presented with the login screen. Random enters his credentials. What R. didn’t notice was that the link actually went to But two seconds later, he’s on the real, mildly bemused by there not being a response to any of the messages. “Maybe someone deleted it, or something”, thinks Random, without a thought. Random’s cat-forum credentials are now in the hands of Hackers’R’Us. Security — failed. Faking the realistic e-mail is a child’s play — all someone from Hackers’R’Us needs to do is to create two accounts, reply from one to the other, and presto!, copy’n’paste the e-mail.

“Why is Random clicking on things sent to him in the e-mail?” cry all those holier-than-thou security experts. Because, they seemed to have forgot, the web has trained him to do it. E-mailed links is the normal notification mechanism on the web.

How can we solve this? Simple, do away with passwords.

All sent links should contain “credential information” which will auto-log the user. If the user needs to log in, he can click for “send me credentials”, which will send him a credentialed link. E-mail providers can ask for a cellphone number, to which they will send a one-use (ONE USE) code, which will log the user in. They can also, on creation, ask for an address they can snail-mail a one-use code, in case the user loses his cellphone. (Naturally, you might have to pay for that — but on the off-chance that this happen, to your primary e-mail address, paying 10$ to restore it should be within the means of most people.)

Of course, most sites should not even need that much. Just offer the chances of a Facebook Connect/Open ID log-in, and don’t even try asking for a “credentials”. Let someone else handle credentials for you.


One Response to Making the Web a More Secure Place

  1. Steve says:

    Unfortunately, you’re missing out the human element:

    1. if you make a security system too complex, users will either find a way to circumvent it. Take for example, the IT manager who goes mad with power and sets up a policy on Active Directory that your password must be 16 characters long and can’t be one of your last 50 passwords and the passwords expire every week. Users start writing their passwords down on paper or just start adding new characters on to existing passwords because it’s just not possible for most people to remember something so complex that changes so frequently. In fact, my last university’s account had this policy, and I just implemented a “serial number” in the middle of my password. All I had to do was find the number of weeks that I had been at the university and stick that in there.

    2. If you make a security system too complex, users just won’t use it and will go elsewhere. Bear in mind that you are an extremely advanced computer user with (i assume) decades of experience using computers. Would your grandmother be able to understand that she has to switch from program to program to authenticate at her favourite cat-related forum?

    You’re never on IRC anymore. We miss you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: