Saphe future versions

Operational issues

  • Adjust the current plugin to support other operating systems than Windows (Unix and Mac)
  • Create plugins for more browser types (mainly Microsoft Internet Explorer)
  • Add automatic installer, as described here
  • Add some kind of protection for the plugin after it is installed, so that it cannot be replaced with another version by a malicious server (more research needed)

Functionality issues

  • Support of password hashes instead of plain-text passwords (the server may choose one of them)
  • Support more encryption algorithms (that the server may choose from)
  • Make the dialog box even more noticable and harder to mimic by a Phisher using web code (javascript, etc.). The visual effect should be such that the user will immediately notice its absence. Several ideas: use a unique shape/image for the dialog box, minimize the browser while working, blur the desktop while working, etc. The idea is that an application running on the user's machine has much more power to do stuff than any web-based code
  • Optional embedded HTML code instead of automatic login. The Saphe data will contain encrypted HTML code which will be opened by the browser after successfully authenticating the server instead of immediately sending the user-name and password to the login URL. This can be used, for example, to allow more details (such as ID number) to be entered along with the user-name and password, and for various idiosyncratic data to be presented to the user before sending his password (this will not add security, but will give the user a warm fuzzy feeling). Currently this feature is not supported, since Firefox apparently did not implement the required browser API function NPN_Write (it always returns 0, meaning that no stream-data was written to the browser)
  • Find a more reliable way of discovering the user' real IP address. Possible solutions (remember that they have to be secure): run a dedicated secure server for this purpose, use various protocols (such as P2P protocols), find a general way to communicate with the NAT server to get the real IP (SNMP using ipAdEntAddr, maybe?), ask multiple 'whois' web sites in parallel and compare all of their results, divine knowledge, etc.

GUI issues

  • Hide Saphe dialog box when switching between tabs in the same browser
  • Remove the IP address widget from the dialog box, as it is not relevant for the user (and may even scare them, a little)
  • Add help messages for the user in a visible spot in the dialog box (or maybe in a separate message box). These messages should be short and clear, and tell the user what he should do if something unexpected happens (for example: what should he do if the browser warns him that the site's certificate is not valid [hint: stop the login process!], what should be done in the case of an attempted Phishing alert, etc.)

User suggestions

Send suggestions and questions to moc.oohay|noitulosehpas#moc.oohay|noitulosehpas.

Back to the Saphe solution page

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License