Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
Petname
Petname is a web browser user interface widget that sits in the browser’s toolbar in clear view of the user at all times. The onus to provide parameters for proper authentication of a website is placed on the user by way of notes reminding the user of the relationship they have with a particular site.
The Petname widget displays this reminder note in every instance that the website is accessed by the user, allowing them to quickly determine the authenticity of a site they are visiting. The key advantage of such a solution is that the visited website has no way of determining the reminder note that the user has set using the widget. This differentiates the Petname widget from other tools which operate inside of the browser chrome. In this way, the user can be certain that the messages appearing in the Petname widget are created solely by the user and have not been altered by an external source.
This approach of detecting a spoofed website reveals shortcomings in current trends in web browser user interface design. In accessing a spoofed website, the information presented to the user is all provided by the attacker: the web page; the URL; the SSL certificate (if any).[54] Allowing the user to set reminder notes regarding their relationship with a website provides an opportunity to enhance the ability of a web browser’s user interface to assist with the authentication of websites by incorporating an element into the interface that is user-derived.
[54] Close T, Petname Tool: Enabling website recognition using the existing SSL infrastructure, W3C Workshop on Transparency and Usability of Web Authentication, March 2006, <http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname/>.