Back from MIX…


And my talk is available on the web – go to http://sessions.visitmix.com/, type “Chris Wilson” in the search box and hit enter.  Choose the first result (the second one is my talk from last year).  Available in WMV and Silverlight format (which I checked out on my MacBook, and I’m pleased to report it worked well).

Comments (10)

  1. thacker says:

    Thanks for making available your discussion on IE. It added a good bit on insight.

    Security issues are foremost. I have discontinued support for IE6 in most areas of content development because of the security improvement within IE7.

    It would help if statistical data, including forecasts, were available regarding penetration levels of IE7 with the data broken down on a demographic basis — including business, home users, heavy users, country, region, etc.

    Additionally, when do you project IE6 to be a practical sunset application in the field?

    EV SSL Certificates.  I am in no way shape or form remotely sold on the concept that EV Certs are a true security improvement. I believe that the EV Certificate may promote a false sense of security for the home user. Any data or arguments to the contrary would be appreciated.

    Finally, the use of malicious JavaScript that cannot be identified by machine validation has me nervous as hell.  Any thoughts and directions in that area would also be appreciated.

    Thank you very much.

  2. thacker says:

    Wilson–

    Since you brought up security as the number one issue and concern within your MIX address, I am going to elaborate on few points which cause me significant concern.

    The foremost issue is that everyone within the Internet Communication chain must take responsibility to insure security, awareness and education: Hosting Companies, Content Developers, Site Owners, Security Services and Providers, Certificate Authorities, Application Developers, et al.

    I am presenting an example of the absolute failure in that responsibility.

    I received a Phish attempt on 4 May 2007 at 0637 HRS EST.  This is a Phish against an Ohio based bank of Fifth Third, of which I am not a customer nor hopefully, that of your mother. Assumption is made that I was not the sole recipient.  There has been a recent flurry of Phish attempts against Fifth Third.  The one listed below is the latest.

    The URL:  <cite>http://businessbanking.53.com.session035102731.didop.cn/clientbase/form.asp/</cite&gt;

    Quick examination of the URL indicates a Chinese domain.  A Whois search confirms that.

    I have let this sit until today, 6 May 2007 at 1130 HRS EST.

    As of 1503 HRS EST, this site is still active.  It was identified by Firefox as an attempted Phish. Opera and IE did not identify it.  The McAfee Site Adviser plug-in did identify it. In short, 80% of those who clicked on the link were directed to a professional duplication of a Fifth-Third banking site.

    Naturally, heuristic techniques came to mind in possible ability to identify such a thing … hell, the Chinese domain is clearly stated in the URL, ie at Microsoft’s end when such sites are reported by users via IE as was done at 1130 HRS EST, today, prior to human review.  What is more disconcerting is the lack of coordination between services that accumulate and process such information, ie., if McAfee and Firefox picked this up .. database interfacing/notification should have automatically occurred between all services and databases that collect such information.  Failure of coordinated and intelligent efforts by application developers.

    Further research indicates that this Web site is hosted … in the UNITED STATES.  Yeah.  Not China .. but right here.  Not a mickey mouse [well, that is subjective] outfit either, Road Runner, a Time Warner Company.  Failure of the Hosting Company.

    Obviously, and assumption is being made on this point, Fifth Third Bank must be keeping banking hours, their security is staffed by monkeys, or both.  Failure of the Site Owner.

    Now, this is where it really starts to get disturbing.  The Web site includes a VeriSign Seal. Yeah .. the most widely recognized name in Certificate Authorities.

    Clicking on the VeriSign seal takes the visitor to a VeriSign Web site [one with the really nifty green IE background, too].  Once there, the visitor is displayed a really nice looking banner that describes that, on quick appearance, everything is just hunky damn dory and authenticated by the good ol’ on top of everything boys and girls of VeriSign.  Like they .. uh … really… uh .. forgot to have the referrer header info passed through before popping up this misleading information. Implicit trust in CA’s?  Implicit trust in CA’s vetting processes?  I don’t think so.  Failure of the Certificate Authority.

    How many developers and designers take a proactive approach to security and sell the concept that every project on every Web site developed should include a security and safety policy, upfront and not buried, the helps to educate and inform Web visitors on ways, methods and such to stay safe?  Very damn few.  Failure of the Content Developers and failure, again, of Site Owners.

    Chris, what I am trying to say, my above sarcasm aside, is that everyone within the Internet Communication chain needs to get headstrong and more involved in beating back the damn script monkeys and such.  Our livelihoods depend upon it.  Microsoft is in an idea place to ramrod some of these issues such as knocking the CA’s into line, creation of a joint infrastructure between security reporting resources, developing heuristic techniques that quickly tag URL’s when reported, etc.  You are also in a position to help drive home the point that all Web content should have security and safety policies that are there to educate consumers.

    Improvements in IE should be made so that the reporting and checking of Phish sites is not buried within a menu structure.  Present an icon that is clearly visible.  [Sidebar: Microsoft’s audio CAPTCHA on the reporting site is malfunctioning]. For SSL, include the serial number and validation date within the primary dialog box when the padlock is first clicked.  No two serial numbers are identical and Web visitors should be educated to check domain names against those serial numbers with those serial numbers clearly presented on every Web site.

    Technology alone will not solve these security problems.  The greatest threat to any in-country operative is an educated and aware indigenous population.

    Thank you.

    PS.  It is Sunday and I will leave my rant, for another day, about how easily trust in EV Certs can be by-passed.  See?  There is a God.

    PSS. As of 1600 HRS EST, the Phish link is still not being reported by Microsoft as a Phish site.  Response time has to and must be much quicker.

  3. Nick says:

    Hi Chris, nice presentation 🙂

    Maybe a bit off topic, but where can we post ideas or ask for stuff on IE?

    E.g Why isn’t accessibility built in IE7, lots of controls don’t have names or duplicate names (see UISpy from UI Automation classes)

    Why wasn’t this all included when creating IE7?

    And keep on doing the great blog, it’s very interesting to hear from ‘the internals’ of IE… 🙂

    Thanks,

    Nick

  4. Webdesign says:

    Nice presentation indeed 🙂

    Maybe a bit off topic, but where can we post ideas or ask for stuff on IE?

    E.g Why isn’t accessibility built in IE7, lots of controls don’t have names or duplicate names (see UISpy from UI Automation classes)

    Why wasn’t this all included when creating IE7?

    And keep on doing the great blog, it’s very interesting to hear from ‘the internals’ of IE… 🙂

  5. bilgi yarışması says:

    PS.  It is Sunday and I will leave my rant, for another day, about how easily trust in EV Certs can be by-passed.  See?  There is a God.

    PSS. As of 1600 HRS EST, the Phish link is still not being reported by Microsoft as a Phish site.  Response time has to and must be much quicker.

  6. Medyum says:

    Why wasn’t this all included when creating IE7?

  7. Medyum says:

    I am presenting an example of the absolute failure in that responsibility.

  8. medyum says:

    PS.  It is Sunday and I will leave my rant, for another day, about how easily trust in EV Certs can be by-passed.  See?  There is a God.

    PSS. As of 1600 HRS EST, the Phish link is still not being reported by Microsoft as a Phish site.  Response time has to and must be much quicker.

  9. E.g Why isn’t accessibility built in IE7, lots of controls don’t have names or duplicate names (see UISpy from UI Automation classes)

  10. medyumhakan says:

    harika ve güvenilir bir site teşekkürler…