Software Test & Performance Sponsored by Parasoft |
ALM
Sponsored by TechExcel |
Developer Tools
|
Security
Sponsored by Aladdin |
Development Tools Directory
|
Architecture | Business | Data | Hardware | Legacy Systems | Networks | Open Source | Languages | SOA | Social Computing | Telecom | Virtualization | UML | Web | Wireless |
Columns: | Curmudgeon | Geek@Home | Interviews | Kode Vicious | | | Conference Calendar | Issue Index | Site Map | Videos | | | |||
Queue Partners:
|
Web -> Features -> Web Development issue
Phishing is a significant risk facing Internet users today.1,2 Through e-mails or instant messages, users are led to counterfeit Web sites designed to trick them into divulging usernames, passwords, account numbers, and personal information. It is up to the user to ensure the authenticity of the Web site. Browsers provide some tools (e.g., URL, SSL indicators, and optional toolbars), but these are limited by at least three issues:
Overview of the Sign-in SealThe Yahoo! sign-in seal is a feature that allows users to personalize a sign-in page with an image of their choice.3,4 Unlike the Passmark SiteKey used by Bank of America,5 the personalization is tied to the browser/computer and not to a specific user account. This is a critical distinction that gives the two solutions quite different properties. When signing in to Yahoo!, users who have not already personalized their sign-in page receive a CTA (call to action) prompting them to do so. This appears in the form of an image titled "prevent password theft" adjacent to the login fields of the sign-in page. The user can create a sign-in seal from either an uploaded image or text the user provides. The text background and border colors are randomly selected, although the user has the option to change the color. If the user chooses to upload an image, it is resized in preparation for storage; if the user chooses to enter text, an image is created from the provided text. The prepared image is stored on Yahoo!'s image servers where it receives a unique ID. The image can be accessed only with a valid token that is time-limited and protected by a secret shared between the login and image servers. After the image is stored, it is displayed in preview form. The user can make additional changes, then save it. This seal is specific to the computer being used and is not associated with the user's account. As a result, this computer's sign-in seal does not appear on other computers, unless a user happens to set up an identical-appearing seal - even then, the two seals, though they appear to be identical, would be unrelated. Since it may not be obvious that a seal is specific to a particular computer, the user is reminded while saving the seal that it is set up only on the current computer and that the user must create seals for other computers. Yahoo! saves the encrypted unique ID in a cookie that lets the login servers later generate an image URL that contains a valid token. This image URL is embedded in the sign-in page, causing the image to be fetched from the image servers. Because a user may clear cookies without intending to, thus removing the sign-in seal, Yahoo! also caches that information via other mechanisms available in the browser (e.g., Flash Shared Object, Internet Explorer Persistent User Data6). This cached information is used to display the sign-in seal only when cookies are missing. There is a way for users to remove their seals through the setup page. Although it's possible for these caches to get out of sync, they are not frequently used; thus, syncing them periodically is usually sufficient. The user is then taken to a sign-in page where the seal is displayed prominently inside the login box. At any time in the future, someone using that same browser/computer can change the sign-in seal.
by Naveen Agarwal, Scott Renfro, and Arturo Bejar, Yahoo! Submit this story to one of the following blogs:
|
|
Place Your Link Here | ||||||||
AllinfoDir Web Directory | Apartments for rent | Bonus Casino | Businesses for sale | Casinos | Cheap Personal Loans | Counter Strike Hacks | Elegant Directory | Free Themes |
Web development & buy MLB tickets. | ||||||||
Jogos | Online Casino | Online Casino Games | osCommerce Services | phone cards | Spiele | Web Design | WoW Hacks |
ACM Home |
About Queue | Advertise with Queue | Advisory Board | Back Issues | Contact Us | Dev Tools Roadmap | Free Subscription | Privacy Policy | Writer Faq | RSS feeds |
© ACM, Inc. All rights reserved. |