1 / 25

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack. Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu Date: 2011-12-20. outline. Introduction Related work Our approach User study Discussion Conclusion. Introduction.

yagil
Télécharger la présentation

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu Date: 2011-12-20

  2. outline • Introduction • Related work • Our approach • User study • Discussion • Conclusion

  3. Introduction • SSLstripping attack introduced at the Blackhatconference in 2009 • It attacks secure socket layer (SSL), which is the most widely used security mechanism that enables secure communication establishment between two parties over the Internet. • As a type of man-in the-middle (MITM) attack, the attack could affect tens of millions of online users of popular SSL-protected web sites such as Facebook.com.

  4. Related work • Nikiforakis et al.proposed an approach to leveraging a client side HTTP proxy, which, relying on browser history, would compare the current request with previous requests made to the same website • it fails to address several issues • it requires a browser history • This automatically excludes all users that do not save browsing history • it assumes that the attack is never a zero day attack

  5. Our approach

  6. We developed an algorithm that will • look at the web page source code and • output an evaluation based on the comparison of the web page’s address and • the login form’s action data, which has an URL where credentials will be submitted

  7. if the page loaded by the web browser is already being accessed over SSL. • if the certificate proves not to be invalid, we compare the domain in the form action with the domain of the loaded page

  8. User study • General awareness of secure form submission • Effectiveness of SSLstripping, given the awareness • Unhelpfulness of an existing method • Helpfulness of visual cue-based methods • Effectiveness of different visual cue methods

  9. Group 1: Exposed to the attack with no warning • Group 2: Exposed to the attack with the standard pop-up warning dialog • Group 3: Exposed to the attack with the SSLight warning in the login form fields • Group 4: Exposed to the attack with the blinking background in the login form fields

  10. User study results

  11. Discussion

  12. CONCLUSION • the proposed solutions are more effective and efficient in preventing the SSLstripping attack than the classic pop-up window method. • We see the emergence of long solved security flaws in new devices, as is the case of the recent browser user interface spoofing in iPhone.

More Related