1 / 23

Conveying Trust

Conveying Trust. Serge Egelman. Portal to The Interweb. Threats to privacy: Phishing Information interception Fraudulent sites Web browser is central Email IM Detection must occur here. In The Beginning…. Man-in-the-middle Sniffing SSL solved these Browser SSL indicators Locks

alyson
Télécharger la présentation

Conveying Trust

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conveying Trust Serge Egelman

  2. Portal to The Interweb • Threats to privacy: • Phishing • Information interception • Fraudulent sites • Web browser is central • Email • IM • Detection must occur here

  3. In The Beginning… • Man-in-the-middle • Sniffing • SSL solved these • Browser SSL indicators • Locks • Keys • Borders • URL bar

  4. SSL Indicators • Microsoft IE • Mozilla • Firefox • Safari

  5. But What About Phishing? • Toolbars • User notification • Audio • Pop-ups • Indicators • Community ratings • Heuristics

  6. Phishing Toolbars • Clear Search • Scans email using heuristics

  7. Phishing Toolbars • Cloudmark • Community ratings

  8. Phishing Toolbars • eBay Toolbar • Community ratings

  9. Phishing Toolbars • SpoofGuard • URL analysis • Password analysis • Image analysis

  10. Phishing Toolbars • Trustbar (Mozilla) • Analyzes known sites • Analyzes certificate information

  11. Phishing Toolbars • Trustwatch • Site ratings

  12. But Do They Work? • No • 25 Sites tested • Cloudmark: 10 (40%) identified • Netcraft: 19 (76%) identified • Spoofguard: 10 (40%) identified • Trustwatch: 9 (36%) identified

  13. Activity #1 • Download a phishing toolbar: • http://www.cloudmark.com/desktop/download/ • http://pages.ebay.com/ebay_toolbar/ • http://crypto.stanford.edu/SpoofGuard/ • http://trustbar.mozdev.org/ • http://toolbar.trustwatch.com/ • http://toolbar.netcraft.com/ • Pros? Cons? • Is it usable? • How could it be circumvented?

  14. Other Browser Plugins • Previously mentioned toolbars • Phishing • Fraudulent sites • Limited intelligence

  15. Password Hashing • Many users use same passwords • One compromise leads to many • Knowing real password doesn’t help • Hashing solves this • Passwords hashed automatically with domain name • User doesn’t know the difference • Mozilla extension

  16. Dynamic Security Skins • User remembers one image • Trusted window • User remembers one password • Ease of use • Sites get hashed password • Matches two patterns to trust server • Generated using a shared secret

  17. Trusted Window

  18. Verifying Sites

  19. Using Tokens • Two factor authentication • Something you have • Usually cryptographic • SecureID • Smart cards • Random cryptographic tokens • Scratch cards

  20. Using Phones • Client side certificates • Private keys generated/stored on phone • New key for each phone • Keys linked to domain names • Key generated upon new connection • Bluetooth • No server modifications

  21. Current Browser Support • Hardware drivers • Crappy browser support • Example • Simple text box • Make using the device unobtrusive • Activity #2

  22. False Sense of Security • JavaScript tricks • ING example • MITM • Spyware • Stored images • Bank of America example • MITM • Spyware • CAPTCHAs • MITM

  23. Activity #3 • What security features really need to be prominent?

More Related