Is Yahoo SignIn Seal effective at phishing prevention?

Question

Possible Duplicate:
Effectiveness of Security Images

Information about the efficacy of Yahoo's SignIn Seal is scarce, the best I could find was this section on Wikipedia's entry on Phishing, claiming that "few users refrain from entering their password when images are absent" and "this feature [...] is susceptible to other attacks" (which?). But even if users were attentitve to it, I'm having trouble wraping my head around the concept.

How does one ensure the seal will only be shown when the user is actually at that particular site? Looking at the source code from Yahoo's login page I see a myriad of techniques being used, but I find it hard to comprehend what are their purposes, and how they work together to achive its goal:

• JavaScript is used to check whether or not the page is in an iframe (not showing the image if it is - or if JavaScript is disabled);
• The inserted image has a long random-looking token in its src, which I presume is to keep it secret;
• The image url expires pretty quickly, so it can't be stolen and used somewhere else.

What I could infer from the above:

1. The login page request must have been started from the user's browser, or else the cookie that holds the seal wouldn't be sent;
   • If the attacker puts the page in an iframe, he can't access its contents due to same-origin policy.
   • Likewise, the attacker can't request it via Ajax, for the same reason.
2. On request of the login page, the server prepares an unique URL to serve that image (using the contents of the cookie - the image is not permanently stored in the server), with an unguessable token that the attacker could not have access;
3. The image will only be displayed if the page successfully determines it is not in an iframe; thus, if the user sees the image, he can be confident that the site is legit.

Is my reasoning correct? Are there any known attacks to this scheme? (maybe something involving MitM, etc)

Answer 1

It seems to me that the "correct" attack would be to emulate the behavior that is seen when you attempt to log in on a browser without any cookies already present. This effectively deactivates the "sign-in seal" completely, falling back to the default behavior.

This is the experience users see every time the user starts up a different browser or different computer or clears their cookies (either manually, or because of intervention from some zealous "anti-tracking" tool), so the user will certainly be familiar with it.

Sure, it's slightly different from what you normally see, but you've seen it often enough to recognize it as "real", and there's no other way forward than to put in your credentials anyway. After all, that's what you've done every other time you've seen this screen and it's been the correct behavior every other time.

So, not foolproof, but I'd say this technology is at least a step in the right direction. Not a perfect one, but you could argue that it's better than nothing (you could also argue that' it's not, but there you go). At least they're thinking about it; that's further along than we were several years ago.

Answer 2

There is an answer somewhere on this site that asks something similar. In summary: although end users demand this feature, it really doesn't protect you at all.

One clever way to trick a user in this scenario is to use SSLStrip and replace the challenge image with "server down for maintenance".jpg and most users will see this and happily accept this as a replacement for the real icon they've selected.

If I can find that other answer I'll post a link.

---

Update: This feature is called SiteKey. Here is an excellent description of the solution and its vulnerabilities by @D.W.