Abstract
In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several vulnerabilities of browsers, focusing on security and identification indicators.
We present improved security and identification indicators, as we implemented in TrustBar, a browser extension we developed. With TrustBar, users can assign a name or logo to identify SSL/TLS-protected sites; if users did not assign a name or logo, TrustBar identifies protected sites by the name or logo of the site, and by the certificate authority (CA) who identified the site.
We present usability experiments which compared TrustBar's indicators to the basic indicators available in most browsers (padlock, URL, and https prefix), and some relevant secure-usability principles.
- Anti-Phishing Working Group. 2006. Phishing activity trends report. http://www.antiphishing.org/reports/apwg_report_May2006.pdf.Google Scholar
- Anti-Phishing Working Group. 2005. Phishing archive. http://www.antiphishing.org/.Google Scholar
- Boneh, D., Shacham, H., and Rescrola, E. 2004. Client side caching for TLS. ACM Trans. Inf. Syst. Security 7, 4 (Nov.), 553--575. Google Scholar
Digital Library
- Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. C. 2004. Client-Side defense against Web-based identity theft. In Proceedings of the 2nd ACM Symposium on Usable Privacy and Security, Pittsburgh, PA, 79--90. Google Scholar
Digital Library
- Citibank Corporation. 2004. Learn about or report fraudulent e-mails. http://www.citibank.com/domain/spoof/report_abuse.htm.Google Scholar
- Close, T. 2006. Petname tool: Enabling Web site recognition using the existing SSL infrastructure. In W3C Workshop on Transparency and Usability of Web Authentication. http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname/.Google Scholar
- Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS), 77--88. Google Scholar
Digital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI), Montreal, Quebec, Canada, 581--590. Google Scholar
Digital Library
- Ellison, C. 1999. The nature of a usable PKI. Comput. Netw. 31, 823--830. Google Scholar
Digital Library
- Ellison, C. and Schneier, B. 2000. Ten risks of PKI: What you're not being told about public key infrastructure. Comput. Security J. 16, 1, 1--7. http://www.schneier.com/paper-pki.html.Google Scholar
- Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. 1999. SPKI certificate theory. Internet RFC 2693, Internet Engineering Task Force. September. http://research.microsoft.com/Lampson/62-SPKICertificateTheory/Abstract.html. Google Scholar
Digital Library
- Emigh, A. 2005. Online identity theft: Technology, chokepoints and countermeasures. Rep., Department of Homeland Security- SRI International Identity Theft Technology Council. October. http://www.antiphishing.org/Phishing-dhs-report.pdf.Google Scholar
- Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD. Also Tech. Rep. 540-96, Department of Computer Science, Princeton University. October.Google Scholar
- Franco, R. 2004. Better Website identification and extended validation certificates in IE7 and other browsers. In Microsoft Developer Network's IEBlog. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.Google Scholar
- Fu, K., Sit, E., Smith, K., and Feamster, N. 2001. Do's and don'ts of client authentication on the Web. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. Google Scholar
Digital Library
- Gabrilovich, E. and Gontmakher, A. 2002. The homograph attack. Commun. ACM 45, 2. Google Scholar
Digital Library
- Gasparini, L. A. and Gotlieb, C. E. 2006. Method and apparatus for authentication of users and Web sites. U.S. patent number 7100049.Google Scholar
- Grigg, I. 2004a. personal communication.Google Scholar
- Grigg, I. 2004b. PKI considered harmful. http://iang.org/ssl/pki_considered_harmful.html.Google Scholar
- Grigg, I. 2004c. Phishing I: Penny black leads to billion dollar loss. http://www.financial cryptography.com/mt/archives/000159.html.Google Scholar
- Harmon, A. 2004. Amazon glitch unmasks war of reviewers. http://www.nytimes.com/2004/02/14/technology/14AMAZ.html?ex=1392094800&en=183dc1d16a0c7b4c&ei=5007.Google Scholar
- Herzberg, A. 2006a. Web spoofing and phishing attacks and their prevention. In the Mexican International Conference on Computer Science (ENC), Colima, Mexico. Google Scholar
Digital Library
- Herzberg, A. 2006b. Browsers' defenses against phishing, spoofing and malware. Rep. 2006/083, Cryptology ePrint Archive. http://eprint.iacr.org/2006/083.Google Scholar
- Herzberg, A. 2003. Payments and banking with mobile personal devices. Commun. ACM 46, 5, 53--58. Google Scholar
Digital Library
- Herzberg, A. and Jbara, A. 2004. TrustBar: Protecting (even naïve) Web users from spoofing and phishing attacks. Rep. 2004/155, Cryptology ePrint Archive. http://eprint.iacr.org.Google Scholar
- Herzberg, A. and Naor, D. 1998. Surf'n'Sign: Client signatures on Web documents. IBM Syst. J. 37, 1, 61--71. Google Scholar
Digital Library
- Jackson, C., Simon, D., Tan, D., and Barth, A. 2007. An evaluation of extended validation and picture-in-picture phishing attacks. http://usablesecurity.org/papers/jackson.pdf. Google Scholar
Digital Library
- Jakobsson, M. 2005. Modeling and preventing phishing attacks. http://www.informatics.indiana.edu/markus/papers/publishing_jakobsson.pdf.Google Scholar
- Johnson, J. 2000. GUI Bloopers: Don'ts and Do's for Software Developers and Web Designers. Morgan Kaufmann. Google Scholar
Digital Library
- Jøsang, A. and Patton, M. A. 2003. User interface requirements for authentication of communication. In Proceedings of the 4th Australian User Interface Conference on User Interfaces, vol. 18. Google Scholar
Digital Library
- Jøsang, A., Patton, M. A., and Ho, A. 2001. Authentication for humans. In Proceedings of the 9th International Conference on Telecommunication Systems (ICTS), B. Gavish, ed. Cox School of Business, Southern Methodist University, Dallas, TX.Google Scholar
- Kohlas and Maurer, U. 2000. Reasoning about public-key certification: On bindings between entities and public keys. IEEE J. Selected Areas Commun. 18, 4 (Apr.). Google Scholar
Digital Library
- Kormann, D. P. and Rubin, A. D. 2000. Risks of the passport single signon protocol. Comput. Netw. (Jul.). Google Scholar
Digital Library
- Lacoste, G., Pfitzmann, B., Steiner, M., and Waidner, M., eds. 2000. SEMPER—Secure Electronic Marketplace for Europe. Lecture Notes in Computer Science, vol. 1854. Springer. Google Scholar
Digital Library
- Lefranc, S. and Naccache, D. 2003. Cut-and-Paste attacks with Java. In Proceedings of the 5th International Conference on Information Security and Cryptology (ICISC). Lecture Notes in Computer Science, vol. 2587. Springer, 1--15. Google Scholar
Digital Library
- Li, T. and Yongdong, W. 2003. Trust on Web browser: Attack vs. defense. In Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), Kunming, China. Lecture Notes in Computer Science, Springer.Google Scholar
- Litan, A. 2004. Phishing attack victims likely targets for identity theft. Gartner FirstTake Rep. FT-22-8873. Gartner Research. May.Google Scholar
- McDaniel, D. and Rubin, A. D. 2000. A response to “Can we eliminate certificate revocation lists?”. In the Financial Cryptography Conference. Google Scholar
Digital Library
- Micali, S. 1997. Efficient certificate revocation. In Proceedings of the RSA Data Security Conference.Google Scholar
- Microsoft Corporation. 2004. The coordinated spam reduction initiative. http://www.microsoft.com/downloads/details.aspx?familyid=5577782e-462d-4bbe-92e5-b38c575229e4&sdisplaylang=en.Google Scholar
- Modadugu, N. and Rescorla, E. 2004. The design and implementation of Datagram TLS. In Proceedings of the Network and Distributed System Security Symposium (NDSS). to appear.Google Scholar
- Nielsen, J. 1993. Usability Engineering. Academic Press, Boston, MA. ISBN 0-12-518405-0. Google Scholar
Digital Library
- Pftizmann, A., Pftizmann, B., Schunter, M., and Waidner, M. 1999. Trustworthy user devices. In Multilateral Security in Communications, G. Muller and K. Rannenberg, eds. Addison-Wesley, 137--156. Earlier version: Trusting mobile user devices and security modules. IEEE Comput. 30, 2 (Feb.), 61--68. Google Scholar
Digital Library
- Rescorla, E. 2000. SSL and TLS: Designing and Rebuilding Secure Systems. Addison-Wesley.Google Scholar
- Rubin, A. D. 1995. Trusted distribution of software over the Internet. In Proceedings of the Symposium on Network and Distributed System Security, 47--53. Google Scholar
Digital Library
- Santesson, S., Housley, R., and Freeman, T. 2004. Internet X.509 public key infrastructure: Logotypes in X.509 certificates. Internet RFC 3709, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc3709.txt. Google Scholar
Digital Library
- Schechter, S., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy. to appear. Google Scholar
Digital Library
- Security Focus. 2003. Multiple browser URI display obfuscation weakness. http://www.security focus.com/bid/9182/discussion/.Google Scholar
- Tally, G., Thomas, R., and van Vleck, T. 2004. Anti-Phishing: Best practices for institutions and consumers. McAfee Research. March. http://www.networkassociates.com/us/_tier2/products/_media/mcafee.wp_antiphishing.pdf.Google Scholar
- Tay, H. 2004. Visual validation of SSL certificates in the Mozilla browser using hash images. Computer Science Honors thesis, School of Computer Science, Carnegie Mellon University.Google Scholar
- Webtrust. 2004. Frequently asked questions about WebTrust. The American Institute of Certified Public Accountants.Google Scholar
- Whitten, A. and Tygar, J. D. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. Google Scholar
Digital Library
- Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montreal, Quebec, Canada, 601--610. Google Scholar
Digital Library
- Yahoo, Incorporated. 2006. Give password scams the boot with personalized sign-in seals. https://protect.login.yahoo.com/.Google Scholar
- Ye, E. Z., Yuan, Y., and Anthony, D. 2005. Trusted paths for browsers. ACM Trans. Inf. Syst. Security 8, 2 (May), 153--186. Google Scholar
Digital Library
- Ye, E. Z., Yuan, Y., and Smith, S. 2002. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417. February.Google Scholar
- Yee, K. P. 2002. User interaction design for secure systems. Tech. Rep. CSD-02-1184, University of California, Berkeley. May. Google Scholar
Digital Library
- Yee, K. P. and Sitaker, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the 2nd Symposium on Usable Privacy and Security, 32--43. Google Scholar
Digital Library
- Zimmerman, P. R. 1995. The Official PGP User's Guide. MIT Press, Boston, MA. Google Scholar
Digital Library
Index Terms
Security and identification indicators for browsers against spoofing and phishing attacks
Recommendations
Effective protection against phishing and web spoofing
CMS'05: Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia SecurityPhishing and Web spoofing have proliferated and become a major nuisance on the Internet. The attacks are difficult to protect against, mainly because they target non-cryptographic components, such as the user or the user-browser interface. This means ...
Protecting browser state from web privacy attacks
WWW '06: Proceedings of the 15th international conference on World Wide WebThrough a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-...
Phishing defense against IDN address spoofing attacks
PST '06: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business ServicesAddress spoofing is a common trick used in phishing scams to confuse unsuspecting users about a Web site's real origin. With the introduction of Unicode characters into domain names, also known as Internationalized Domain Names (IDN), the risk has ...






Comments