Outline • Motivation • Web spoofing problem • Web spoofing attacks – works done • Web spoofing Countermeasures – works done • New Idea
Citibank scam - 2004 Your account was blocked , you have to fill a form in the following link email citibank account holder Not the real bank Tricked to the wrong site
PayPal Targeted by Scam Artists - 2002 We are replacing the current system with a new one. click here to fill your details. https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run http://www.paypalsys.com/ email account holder Not the real bank Tricked to the wrong site
Bank Leumi – potential scam Consistency Lack Complex Url Structure http://www.bll.co.il http://www.leumi.co.il http://www.bankleumi.co.il http://www.leumibank.co.il
Our Players user server server authentication is possible. Is the browser-user communication model secure enough to warrant this assumption. performs sensitive tasks.
Intended site Faked site Other sites Spoofing is pretending to be someone else. Internet He Wants to check his bank account Great. I get it. Faked Site ! Web Spoofing The user surf a “faked site” as it was the real one he intended to.
Faked Site • Site that imitate another one in its appearance and action for malicious purposes. • To succeed , the imitation process must take into account the level of awareness of the potential victim. Content imitation Content & Status imitation • Imitate the page content • Created by copying HTML files. • “fine” for users who judge sites according to their Visual Context. • page content as sent by the server • Status information produced by the browser • Actions must be imitated • Requires some programming efforts. • “fine” for sophisticated users.
How the Users Get “Phished” • Normal surfing • Link in popular web page • Search engine • Web-enabled email • Sent by the attacker • Man in the middle attack • The attacker sit between the user and the real site
Works Done • Web spoofing: An Internet Con Game -1996 • Edward W.Felten and others. • spoofing entire WWW attacks • Web Spoofing Revisited: SSL and Beyond – 2002 • Zishuang , Yuan and Smith. • Can users believe what their browsers tell them? • Trust on Web Browser: Attack vs. Defence • No author given • Trusted Paths for Browsers: An Open-Source Solution • to Web Spoofing – 2002 • Zishuang , Yuan and Smith. • Demonstrate Open source solution remedy
change page 1 request url 4 spoofed page content 5 www.attacker.org • Victim somehow lured into the attacker Web. • Victim remains trapped in the attacker’s web due to url rewriting . Request real url real page content 3 2 http://home.netscape.com rewritten http://www.attacker.org/ http://home.netscape.com 4 www.server.com
Abstract • suggest a solution that defend against web spoofing. • create a trusted path from the browser to the user. • implemented in Mozilla: open source browser. • Design Criteria • Effectiveness • User can correctly recognize large amount of status info • Work • Cannot expect users to do a lot of work • Intrusiveness • Minimize intrusion on content
Rejected Approaches • Preventing the open of windows with status elements turned off. • What about pop-up warning window • What about certificate information pages • Constrict the display of server pages • User enter a “MAC phrase” at startup and browser insert it in each status element. • Adding some phrase to the title of windows.
Solution • marking scheme that servers could not predict. • This scheme marks the trusted status content. • Synchronized random dynamic boundaries SRD Window Types Style of boundary changes in random. trusted untrusted Server material Browser material
New Idea • Creating a safe region in the top of each browser window. • It is out of loaded sites control. • Enable personal skinning. • SSL secured sites identified by a logo in this region. • Credential logos will appear in this region • Implemented in Mozilla browser.
המלצה אזור בטוח לוגו לזיהוי
Ineraction between TBRS and other entities דפדפן משופר דפדפן אתר הקמת ערוץ בטוח / אמות תעודת שרת TBSR רשימת המלצות ולוגויים ע"פ בקשה המלצות נוספות מהאנטרנט
TBRS Components אתר נצפה מקורות נוספים ה מ ל צ ו ת CCM CTM המלצות שנאספו תעודת שרת ראשונית דפדפן המלצות במבנה אחיד CAMM מאפיינים ממופים ללוגיים SRCM הצגת לוגויים באזור הבטוח