Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
It's been nearly ten years since the the USENIX Security [1] "cookie eaters" paper [2] and the humor-less talk [3] that provided a secure cookie authentication scheme and claimed to demonstrate weaknesses in commercially deployed web login systems at places like the Wall Street Journal [4]. Follow-up discussion appeared in a 2001 CACM Inside Risks column [5]. I've finally decided to come clean; I'd like to officially recant the 2001 USENIX Security paper for three reasons: Web login systems are inherently flawless [6] and any problem is the user's fault; no one has ever found any problems in a realistic scenario [7], and the authors cannot possibly be real people. Scientists occasionally publish erroneous results. First, the problems were way overblown. I mean, who even logs into web sites today anyway? Gopher and FTP have the most opportunity to gain mind share; the Web is already saturated. The New York Times [8] recently followed suit with the WSJ paywall to install secure web authentication systems. It's flawless. And if you really need extra security, just use a two factor authentication dongle [9]. Or pick a password like changeme123 [10]. Second, neither count thou two [11]. Third, the authors are not real. It turns out I had nothing to do with this paper at all. I mean, just look at the photo of those four kids at USENIX Security [12]. Have you ever seen me wear tennis shoes and jeans? Clearly that should have been a tip off that some Fu-doppelgänger was involved. Nick [13] and Emil [14] might have been duped, and Dan Wallach was certainly was a replicant. I mean, look at Dan [12]. He's wearing khakis. There's no way that's really Dan [15]. And has anyone ever seen Kendra [16]? Some think that she saw our totems and tricked us into inception of this cookie authentication fable. For all we know, she probably joined the NSA! Only a few years ago did I awake from my cryogenic suspension after SCADA systems [17] for the local power substation failed. In the meantime, this Fu doppelgänger managed to build up my publication record. Thank goodness for Stuxnet [18] or I might never have woken. Let me explain what happened. After dabbling with Merkle trees in file systems [19] in the late 1990s, I asked Ralph Merkle for a good place for ice cream because Tosci's was closing at the MIT student center [20]. But he misinterpreted and sent me to his cryogenic chamber [21]. One you log in, you don't log out. Upon thawing, I was quite surprised to learn that Christof Paar and Ari Juels tricked my doppelgänger into organizing a workshop on aphid security and privacy [22]. The poor little bugs get such a bad wrap because they are so tiny yet can damage the leaves of a Merkle tree. If you are still reading this, you must be depressed about the state of security of web authentication and everything else---whether it's 2001 or 2010. April Fools! Cheers, Kevin [1] http://www.usenix.org/events/sec01/ [2] http://prisms.cs.umass.edu/bibliography/kevin.php?q=webauth:sec10 [3] http://www.cs.umass.edu/~kevinfu/talks/Fu-cookie-slides.pdf [4] http://www.cs.umass.edu/~kevinfu/news/wsj.html [5] http://www.csl.sri.com/users/neumann/insiderisks.html#135 [6] http://codebutler.com/firesheep [7] http://www.crypto.com/bingo/pr [8] http://ocunwired.ocregister.com/2011/03/29/how-to-circumvent-ny-times-pay-wall/6851/ [9] http://www.computerweekly.com/blogs/david_lacey/2011/03/rsa_hack_is_a_timely_reminder.html [10] http://www.thetechherald.com/article.php/201106/6785/Report-HBGary-used-as-an-object-lesson-by-Anonymous [11] http://en.wikipedia.org/wiki/Holy_Hand_Grenade_of_Antioch [12] http://www.usenix.org/events/sec01/DCphotos/02.jpg [13] http://www.cc.gatech.edu/~feamster/ [14] http://www.emilsit.net/ [15] http://www.cs.rice.edu/~dwallach/ [16] http://www.amazon.com/Five-Ways-Disappearing-Kendra-Smith/dp/B0000251JQ [17] http://www.schneier.com/blog/archives/2007/10/staged_attack_c.html [18] http://en.wikipedia.org/wiki/Stuxnet [19] http://www.google.com/search?q=sfs+read-only+file+system [20] http://tech.mit.edu/V127/N64/toscaninis.html [21] http://www.merkle.com/cryo/ [22] http://rfid-cusp.org/rfidsec/ Kevin Fu Assistant Professor Computer Science Department University of Massachusetts Amherst http://www.cs.umass.edu/~kevinfu/
Please report problems with the web pages to the maintainer