Last Friday I visted CoreStreet, a company whose ingenious approaches to large-scale credential validation and physical security I mentioned in my Permissions on the edge column last fall. While I was there, CoreStreet's president, Phil Libin, who blogs at vastlyimportant.com, showed me a neat gizmo intended to help Aunt Tillie understand where she's really going on the web. Consider this screenshot:
In the lower right browser window, I'm on CSPAN's Booknotes.org site, where -- David Sklar reminded me -- you can watch Brian Lamb's interviews with authors. In the upper left window, I'm watching the George Soros program. Note the extra toolbar in that window, which says: You're on virage.com. That's CoreStreet's Spoofstick in action. In this case, CSPAN's relationship with media partner Virage is made plain in the pop-up window, even though the URL-line is hidden. But when bad guys are running the show, it's all to easy for Aunt Tillie to wind up in the wrong neighborhood without realizing it.
Spoofstick is a beta extension for Firefox, with IE support "right around the corner." (Didn't things used to be the other way around?) It fits right in with one of the the themes I've been developing lately: we need to standardize on the UI conventions that contextualize secure interaction on the web.
I don't think Spoofstick is a final solution, and neither do the CoreStreet folks. In this particular case, for example, what's Aunt Tillie to make of the fact that she's been transported by CSPAN to Virage? Is that OK or not? How's she supposed to evaluate all this?
In the case of a benign third-party relationship like this one, you could argue Spoofstick raises more questions than it answers. Nor would it surprise me if somebody discovers a way to spoof Spoofstick. But the principle at work here is sound. The information superhighway needs a standard system of roadsigns that Aunt Tillie can trust. The SSL lock was and is helpful, but we need to do more. Spoofstick suggests an important next step.
Former URL: http://weblog.infoworld.com/udell/2004/04/08.html#a969