skip to main content
research-article

Security and identification indicators for browsers against spoofing and phishing attacks

Published:06 October 2008Publication History
Skip Abstract Section

Abstract

In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several vulnerabilities of browsers, focusing on security and identification indicators.

We present improved security and identification indicators, as we implemented in TrustBar, a browser extension we developed. With TrustBar, users can assign a name or logo to identify SSL/TLS-protected sites; if users did not assign a name or logo, TrustBar identifies protected sites by the name or logo of the site, and by the certificate authority (CA) who identified the site.

We present usability experiments which compared TrustBar's indicators to the basic indicators available in most browsers (padlock, URL, and https prefix), and some relevant secure-usability principles.

References

  1. Anti-Phishing Working Group. 2006. Phishing activity trends report. http://www.antiphishing.org/reports/apwg_report_May2006.pdf.Google ScholarGoogle Scholar
  2. Anti-Phishing Working Group. 2005. Phishing archive. http://www.antiphishing.org/.Google ScholarGoogle Scholar
  3. Boneh, D., Shacham, H., and Rescrola, E. 2004. Client side caching for TLS. ACM Trans. Inf. Syst. Security 7, 4 (Nov.), 553--575. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Chou, N., Ledesma, R., Teraguchi, Y., and Mitchell, J. C. 2004. Client-Side defense against Web-based identity theft. In Proceedings of the 2nd ACM Symposium on Usable Privacy and Security, Pittsburgh, PA, 79--90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Citibank Corporation. 2004. Learn about or report fraudulent e-mails. http://www.citibank.com/domain/spoof/report_abuse.htm.Google ScholarGoogle Scholar
  6. Close, T. 2006. Petname tool: Enabling Web site recognition using the existing SSL infrastructure. In W3C Workshop on Transparency and Usability of Web Authentication. http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname/.Google ScholarGoogle Scholar
  7. Dhamija, R. and Tygar, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS), 77--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI), Montreal, Quebec, Canada, 581--590. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Ellison, C. 1999. The nature of a usable PKI. Comput. Netw. 31, 823--830. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ellison, C. and Schneier, B. 2000. Ten risks of PKI: What you're not being told about public key infrastructure. Comput. Security J. 16, 1, 1--7. http://www.schneier.com/paper-pki.html.Google ScholarGoogle Scholar
  11. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T. 1999. SPKI certificate theory. Internet RFC 2693, Internet Engineering Task Force. September. http://research.microsoft.com/Lampson/62-SPKICertificateTheory/Abstract.html. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Emigh, A. 2005. Online identity theft: Technology, chokepoints and countermeasures. Rep., Department of Homeland Security- SRI International Identity Theft Technology Council. October. http://www.antiphishing.org/Phishing-dhs-report.pdf.Google ScholarGoogle Scholar
  13. Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD. Also Tech. Rep. 540-96, Department of Computer Science, Princeton University. October.Google ScholarGoogle Scholar
  14. Franco, R. 2004. Better Website identification and extended validation certificates in IE7 and other browsers. In Microsoft Developer Network's IEBlog. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.Google ScholarGoogle Scholar
  15. Fu, K., Sit, E., Smith, K., and Feamster, N. 2001. Do's and don'ts of client authentication on the Web. In Proceedings of the 10th USENIX Security Symposium, Washington, DC. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Gabrilovich, E. and Gontmakher, A. 2002. The homograph attack. Commun. ACM 45, 2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Gasparini, L. A. and Gotlieb, C. E. 2006. Method and apparatus for authentication of users and Web sites. U.S. patent number 7100049.Google ScholarGoogle Scholar
  18. Grigg, I. 2004a. personal communication.Google ScholarGoogle Scholar
  19. Grigg, I. 2004b. PKI considered harmful. http://iang.org/ssl/pki_considered_harmful.html.Google ScholarGoogle Scholar
  20. Grigg, I. 2004c. Phishing I: Penny black leads to billion dollar loss. http://www.financial cryptography.com/mt/archives/000159.html.Google ScholarGoogle Scholar
  21. Harmon, A. 2004. Amazon glitch unmasks war of reviewers. http://www.nytimes.com/2004/02/14/technology/14AMAZ.html?ex=1392094800&en=183dc1d16a0c7b4c&ei=5007.Google ScholarGoogle Scholar
  22. Herzberg, A. 2006a. Web spoofing and phishing attacks and their prevention. In the Mexican International Conference on Computer Science (ENC), Colima, Mexico. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Herzberg, A. 2006b. Browsers' defenses against phishing, spoofing and malware. Rep. 2006/083, Cryptology ePrint Archive. http://eprint.iacr.org/2006/083.Google ScholarGoogle Scholar
  24. Herzberg, A. 2003. Payments and banking with mobile personal devices. Commun. ACM 46, 5, 53--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Herzberg, A. and Jbara, A. 2004. TrustBar: Protecting (even naïve) Web users from spoofing and phishing attacks. Rep. 2004/155, Cryptology ePrint Archive. http://eprint.iacr.org.Google ScholarGoogle Scholar
  26. Herzberg, A. and Naor, D. 1998. Surf'n'Sign: Client signatures on Web documents. IBM Syst. J. 37, 1, 61--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Jackson, C., Simon, D., Tan, D., and Barth, A. 2007. An evaluation of extended validation and picture-in-picture phishing attacks. http://usablesecurity.org/papers/jackson.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jakobsson, M. 2005. Modeling and preventing phishing attacks. http://www.informatics.indiana.edu/markus/papers/publishing_jakobsson.pdf.Google ScholarGoogle Scholar
  29. Johnson, J. 2000. GUI Bloopers: Don'ts and Do's for Software Developers and Web Designers. Morgan Kaufmann. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jøsang, A. and Patton, M. A. 2003. User interface requirements for authentication of communication. In Proceedings of the 4th Australian User Interface Conference on User Interfaces, vol. 18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Jøsang, A., Patton, M. A., and Ho, A. 2001. Authentication for humans. In Proceedings of the 9th International Conference on Telecommunication Systems (ICTS), B. Gavish, ed. Cox School of Business, Southern Methodist University, Dallas, TX.Google ScholarGoogle Scholar
  32. Kohlas and Maurer, U. 2000. Reasoning about public-key certification: On bindings between entities and public keys. IEEE J. Selected Areas Commun. 18, 4 (Apr.). Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Kormann, D. P. and Rubin, A. D. 2000. Risks of the passport single signon protocol. Comput. Netw. (Jul.). Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Lacoste, G., Pfitzmann, B., Steiner, M., and Waidner, M., eds. 2000. SEMPER—Secure Electronic Marketplace for Europe. Lecture Notes in Computer Science, vol. 1854. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Lefranc, S. and Naccache, D. 2003. Cut-and-Paste attacks with Java. In Proceedings of the 5th International Conference on Information Security and Cryptology (ICISC). Lecture Notes in Computer Science, vol. 2587. Springer, 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Li, T. and Yongdong, W. 2003. Trust on Web browser: Attack vs. defense. In Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), Kunming, China. Lecture Notes in Computer Science, Springer.Google ScholarGoogle Scholar
  37. Litan, A. 2004. Phishing attack victims likely targets for identity theft. Gartner FirstTake Rep. FT-22-8873. Gartner Research. May.Google ScholarGoogle Scholar
  38. McDaniel, D. and Rubin, A. D. 2000. A response to “Can we eliminate certificate revocation lists?”. In the Financial Cryptography Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Micali, S. 1997. Efficient certificate revocation. In Proceedings of the RSA Data Security Conference.Google ScholarGoogle Scholar
  40. Microsoft Corporation. 2004. The coordinated spam reduction initiative. http://www.microsoft.com/downloads/details.aspx?familyid=5577782e-462d-4bbe-92e5-b38c575229e4&sdisplaylang=en.Google ScholarGoogle Scholar
  41. Modadugu, N. and Rescorla, E. 2004. The design and implementation of Datagram TLS. In Proceedings of the Network and Distributed System Security Symposium (NDSS). to appear.Google ScholarGoogle Scholar
  42. Nielsen, J. 1993. Usability Engineering. Academic Press, Boston, MA. ISBN 0-12-518405-0. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Pftizmann, A., Pftizmann, B., Schunter, M., and Waidner, M. 1999. Trustworthy user devices. In Multilateral Security in Communications, G. Muller and K. Rannenberg, eds. Addison-Wesley, 137--156. Earlier version: Trusting mobile user devices and security modules. IEEE Comput. 30, 2 (Feb.), 61--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Rescorla, E. 2000. SSL and TLS: Designing and Rebuilding Secure Systems. Addison-Wesley.Google ScholarGoogle Scholar
  45. Rubin, A. D. 1995. Trusted distribution of software over the Internet. In Proceedings of the Symposium on Network and Distributed System Security, 47--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Santesson, S., Housley, R., and Freeman, T. 2004. Internet X.509 public key infrastructure: Logotypes in X.509 certificates. Internet RFC 3709, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc3709.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Schechter, S., Dhamija, R., Ozment, A., and Fischer, I. 2007. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy. to appear. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Security Focus. 2003. Multiple browser URI display obfuscation weakness. http://www.security focus.com/bid/9182/discussion/.Google ScholarGoogle Scholar
  49. Tally, G., Thomas, R., and van Vleck, T. 2004. Anti-Phishing: Best practices for institutions and consumers. McAfee Research. March. http://www.networkassociates.com/us/_tier2/products/_media/mcafee.wp_antiphishing.pdf.Google ScholarGoogle Scholar
  50. Tay, H. 2004. Visual validation of SSL certificates in the Mozilla browser using hash images. Computer Science Honors thesis, School of Computer Science, Carnegie Mellon University.Google ScholarGoogle Scholar
  51. Webtrust. 2004. Frequently asked questions about WebTrust. The American Institute of Certified Public Accountants.Google ScholarGoogle Scholar
  52. Whitten, A. and Tygar, J. D. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montreal, Quebec, Canada, 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Yahoo, Incorporated. 2006. Give password scams the boot with personalized sign-in seals. https://protect.login.yahoo.com/.Google ScholarGoogle Scholar
  55. Ye, E. Z., Yuan, Y., and Anthony, D. 2005. Trusted paths for browsers. ACM Trans. Inf. Syst. Security 8, 2 (May), 153--186. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Ye, E. Z., Yuan, Y., and Smith, S. 2002. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417. February.Google ScholarGoogle Scholar
  57. Yee, K. P. 2002. User interaction design for secure systems. Tech. Rep. CSD-02-1184, University of California, Berkeley. May. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Yee, K. P. and Sitaker, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the 2nd Symposium on Usable Privacy and Security, 32--43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Zimmerman, P. R. 1995. The Official PGP User's Guide. MIT Press, Boston, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Security and identification indicators for browsers against spoofing and phishing attacks

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Internet Technology
                  ACM Transactions on Internet Technology  Volume 8, Issue 4
                  September 2008
                  216 pages
                  ISSN:1533-5399
                  EISSN:1557-6051
                  DOI:10.1145/1391949
                  Issue’s Table of Contents

                  Copyright © 2008 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 6 October 2008
                  • Accepted: 1 October 2006
                  • Revised: 1 August 2006
                  • Received: 1 August 2004
                  Published in toit Volume 8, Issue 4

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • research-article
                  • Research
                  • Refereed

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!