The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 26 Issue 42

Thursday 7 April 2011

Contents

Mark another security problem done and solved. Web login systems are flawless and here to stay.
Kevin Fu
Info on RISKS (comp.risks)

Mark another security problem done and solved. Web login systems are flawless and here to stay.

Kevin Fu <kevinfu@cs.umass.edu>
April 1, 2011

It's been nearly ten years since the the USENIX Security [1] "cookie
eaters" paper [2] and the humor-less talk [3] that provided a secure
cookie authentication scheme and claimed to demonstrate weaknesses in
commercially deployed web login systems at places like the Wall Street
Journal [4].  Follow-up discussion appeared in a 2001 CACM Inside
Risks column [5].  I've finally decided to come clean; I'd like to
officially recant the 2001 USENIX Security paper for three reasons:
Web login systems are inherently flawless [6] and any problem is the
user's fault; no one has ever found any problems in a realistic
scenario [7], and the authors cannot possibly be real people.
Scientists occasionally publish erroneous results.

First, the problems were way overblown.  I mean, who even logs into web
sites today anyway?  Gopher and FTP have the most opportunity to gain
mind share; the Web is already saturated.  The New York Times [8]
recently followed suit with the WSJ paywall to install secure web
authentication systems.  It's flawless.  And if you really need extra
security, just use a two factor authentication dongle [9].  Or pick a
password like changeme123 [10].

Second, neither count thou two [11].

Third, the authors are not real. It turns out I had nothing to do with
this paper at all.  I mean, just look at the photo of those four kids
at USENIX Security [12].  Have you ever seen me wear tennis shoes and
jeans?  Clearly that should have been a tip off that some
Fu-doppelgänger was involved.  Nick [13] and Emil [14] might have been
duped, and Dan Wallach was certainly was a replicant.  I mean, look at
Dan [12].  He's wearing khakis.  There's no way that's really Dan [15].
And has anyone ever seen Kendra [16]?  Some think that she saw
our totems and tricked us into inception of this cookie authentication
fable.  For all we know, she probably joined the NSA!

Only a few years ago did I awake from my cryogenic suspension after
SCADA systems [17] for the local power substation failed.  In the
meantime, this Fu doppelgänger managed to build up my publication
record.  Thank goodness for Stuxnet [18] or I might never have woken.
Let me explain what happened.  After dabbling with Merkle trees in
file systems [19] in the late 1990s, I asked Ralph Merkle for a good
place for ice cream because Tosci's was closing at the MIT student
center [20].  But he misinterpreted and sent me to his cryogenic
chamber [21].  One you log in, you don't log out.  Upon thawing, I was
quite surprised to learn that Christof Paar and Ari Juels tricked my
doppelgänger into organizing a workshop on aphid security and privacy
[22].  The poor little bugs get such a bad wrap because they are so
tiny yet can damage the leaves of a Merkle tree.  If you are still
reading this, you must be depressed about the state of security of web
authentication and everything else---whether it's 2001 or 2010.
April Fools!

	Cheers,
	Kevin

[1] http://www.usenix.org/events/sec01/
[2] http://prisms.cs.umass.edu/bibliography/kevin.php?q=webauth:sec10
[3] http://www.cs.umass.edu/~kevinfu/talks/Fu-cookie-slides.pdf
[4] http://www.cs.umass.edu/~kevinfu/news/wsj.html
[5] http://www.csl.sri.com/users/neumann/insiderisks.html#135
[6] http://codebutler.com/firesheep
[7] http://www.crypto.com/bingo/pr
[8] http://ocunwired.ocregister.com/2011/03/29/how-to-circumvent-ny-times-pay-wall/6851/
[9] http://www.computerweekly.com/blogs/david_lacey/2011/03/rsa_hack_is_a_timely_reminder.html
[10] http://www.thetechherald.com/article.php/201106/6785/Report-HBGary-used-as-an-object-lesson-by-Anonymous
[11] http://en.wikipedia.org/wiki/Holy_Hand_Grenade_of_Antioch
[12] http://www.usenix.org/events/sec01/DCphotos/02.jpg
[13] http://www.cc.gatech.edu/~feamster/
[14] http://www.emilsit.net/
[15] http://www.cs.rice.edu/~dwallach/
[16] http://www.amazon.com/Five-Ways-Disappearing-Kendra-Smith/dp/B0000251JQ
[17] http://www.schneier.com/blog/archives/2007/10/staged_attack_c.html
[18] http://en.wikipedia.org/wiki/Stuxnet
[19] http://www.google.com/search?q=sfs+read-only+file+system
[20] http://tech.mit.edu/V127/N64/toscaninis.html
[21] http://www.merkle.com/cryo/
[22] http://rfid-cusp.org/rfidsec/

Kevin Fu
Assistant Professor
Computer Science Department
University of Massachusetts Amherst
http://www.cs.umass.edu/~kevinfu/

Please report problems with the web pages to the maintainer

Top