ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Hardening Web browsers against man-in-the-middle and eavesdropping attacks
Full text PdfPdf (770 KB)
Source International World Wide Web Conference archive
Proceedings of the 14th international conference on World Wide Web table of contents
Chiba, Japan
SESSION: Security through the eyes of users table of contents
Pages: 489 - 498  
Year of Publication: 2005
ISBN:1-59593-046-9
Authors
Haidong Xia  University of Pittsburgh, Pittsburgh, PA
José Carlos Brustoloni  University of Pittsburgh, Pittsburgh, PA
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 34,   Downloads (12 Months): 245,   Citation Count: 6
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1060745.1060817
What is a DOI?

ABSTRACT

Existing Web browsers handle security errors in a manner that often confuses users. In particular, when a user visits a secure site whose certificate the browser cannot verify, the browser typically allows the user to view and install the certificate and connect to the site despite the verification failure. However, few users understand the risk of man-in-the-middle attacks and the principles behind certificate-based authentication. We propose context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs. Considering the context, the browser then guides the user in handling and possibly overcoming the security error. We also propose specific password warnings (SPW) when users are about to send passwords in a form vulnerable to eavesdropping. We performed user studies to evaluate CSCV and SPW. Our results suggest that CSCV and SPW can greatly improve Web browsing security and are easy to use even without training. Moreover, CSCV had greater impact than did staged security training.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Mark S. Ackerman , Lorrie Cranor, Privacy critics: UI components to safeguard users' privacy, CHI '99 extended abstracts on Human factors in computing systems, May 15-20, 1999, Pittsburgh, Pennsylvania  [doi>10.1145/632716.632875]
2
Anne Adams , Martina Angela Sasse, Users are not the enemy, Communications of the ACM, v.42 n.12, p.40-46, Dec. 1999  [doi>10.1145/322796.322806]
3
Ross Anderson, Why cryptosystems fail, Proceedings of the 1st ACM conference on Computer and communications security, p.215-227, November 03-05, 1993, Fairfax, Virginia, United States  [doi>10.1145/168588.168615]
 
4
Dan Boneh , Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal on Computing, v.32 n.3, p.586-615, 2003  [doi>10.1137/S0097539701398521]
5
John M. Carroll , Caroline Carrithers, Training wheels in a user interface, Communications of the ACM, v.27 n.8, p.800-806, Aug 1984  [doi>10.1145/358198.358218]
 
6
Collins, J., Greer, J., Kumar, V., McCalla, G., Meagher, P. and Tkatch, R.: Inspectable User Models for Just-In-Time Workplace Training. In Proc. 6th International Conference on User Modeling (UM97). {Online} http://www.cs.uni-sb.de/UM97/ps/CollinsJA.ps
 
7
Dierks, T. and Allen, C.: The TLS Protocol Version 1.0. RFC 2246, IETF, Jan. 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2246.txt
 
8
ethereal. {Online} http://www.ethereal.com/
 
9
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and Berners-Lee, T.: Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616, IETF, June 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
 
10
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, IETF, June 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2617.txt
 
11
Freier, A., Karlton, P., and Kocher, P.: The SSL Protocol Version 3.0. {Online} http://wp.netscape.com/eng/ssl3/draft302.txt
 
12
Guzdial, M.: Software-Realized Scaffolding to Facilitate Programming for Science Learning. In Interactive Learning Environments, 4(1):1--44. {Online} http://guzdial.cc.gatech.edu/Emile-ILE.pdf
 
13
Hommel, G.: A Comparison of Two Modified Bonferroni Procedures. In Biometrika, 76:624-625, 1989.
 
14
Housley, R., Ford, W., Polk, W. and Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459, IETF, Jan. 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2459.txt.pdf
 
15
Lonvick, C.: SSH Protocol Architecture. Internet Draft, IETF, Oct. 2004. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-secsh-architecture-17.txt
16
Lynette I. Millett , Batya Friedman , Edward Felten, Cookies and Web browser design: toward realizing informed consent online, Proceedings of the SIGCHI conference on Human factors in computing systems, p.46-52, March 2001, Seattle, Washington, United States  [doi>10.1145/365024.365034]
 
17
National Institute of Standards and Technology. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. Nov. 2001. {Online} http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
 
18
National Institute of Standards and Technology. Specifications for Secure Hash Standard. Federal Information Processing Standards Publication 180-1. Apr. 1995. {Online} http://www.itl.nist.gov/fipspubs/fip180-1.htm
 
19
Open1x. {Online} http://www.open1x.org/
 
20
Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G. and Josefsson, S.: Protected EAP Protocol (PEAP) Version 2. Internet Draft, IETF, Oct. 2004. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-josefsson-pppext-eap-tls-eap-10.txt
21
Trevor Perrin, Public key distribution through "cryptoIDs", Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland  [doi>10.1145/986655.986669]
22
R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978  [doi>10.1145/359340.359342]
 
23
Ravi Sandhu, Good-Enough Security: Toward a Pragmatic Business-Driven Discipline, IEEE Internet Computing, v.7 n.1, p.66-68, January 2003  [doi>10.1109/MIC.2003.1167341]
 
24
Sankoh, A., Huque, M. and Dubey, S.: Some Comments on Frequently Used Multiple Endpoint Adjustment Methods in Clinical Trials. In Statistics in Medicine, 16:2529--2542, 1997.
 
25
Shmoo. airsnarf. {Online} http://airsnarf.shmoo.com/
26
D. K. Smetters , R. E. Grinter, Moving from the design of usable security technologies to the design of useful secure applications, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia  [doi>10.1145/844102.844117]
 
27
S. W. Smith, Humans in the Loop: Human-Computer Interaction and Security, IEEE Security and Privacy, v.1 n.3, p.75-79, May 2003  [doi>10.1109/MSECP.2003.1203228]
 
28
Song, D. dsniff. {Online} http://naughty.monkey.org/~dugsong/dsniff/
 
29
Whitten, A. and Tygar, J.D.: Why Johnny Can't Encrypt: A Case Study. In Proceedings of Usenix Security Symposium, Aug. 1999. {Online} http://www.usenix.org/publications/library/proceedings/sec99/full_papers/whitten/whitten.ps
 
30
Whitten, A. and Tygar, J.D.: Safe Staging for Computer Security. In Proceedings of the Workshop on Human-Computer Interaction and Security Systems, CHI'2003, April 2003. {Online} http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-whitten.pdf
 
31
Whitten, A.: Making Security Usable. Tech Report CMU-CS-04-135 (Ph.D. dissertation), School of Computer Science, Carnegie Mellon University, May 2004.
 
32
Wi-Fi Alliance. Wi-Fi Protected Access 2. {Online} http://www.weca.net/OpenSection/protected_access.asp?
 
33
Yan, J., Blackwell, A., Anderson, R., and Grant, A.: The Memorability and Security of Passwords -- Some Empirical Results. Tech. Report UCAM-CL-TR-500, University of Cambridge Computer Laboratory, Sept. 2000. {Online} http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf
 
34
Rescorla, E.: HTTP over TLS. RFC 2818, IETF, May 2000. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2818.txt
 
35
tcpdump. {Online} http://www.tcpdump.org/
 
36
Xia, H. and Brustoloni, J.: Detecting and Blocking Unauthorized Access in Wi-Fi Networks. In Proc. Networking'2004, IFIP, Lecture Notes in Computer Science, 3042:795-806, Springer-Verlag, May 2004. {Online} http://www.cs.pitt.edu/~jcb/papers/net2004.pdf
 
37
Haidong Xia , Jose Brustoloni, Virtual Prepaid Tokens for Wi-Fi Hotspot Access, Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN'04), p.232-239, November 16-18, 2004  [doi>10.1109/LCN.2004.134]
 
38
Zishuang (Eileen) Ye , Sean Smith, Trusted Paths for Browsers, Proceedings of the 11th USENIX Security Symposium, p.263-279, August 05-09, 2002
39
Mary Ellen Zurko , Richard T. Simon, User-centered security, Proceedings of the 1996 workshop on New security paradigms, p.27-33, September 17-20, 1996, Lake Arrowhead, California, United States  [doi>10.1145/304851.304859]

CITED BY  6
José Carlos Brustoloni , Ricardo Villamarín-Salomón, Improving security decisions with polymorphic and audited dialogs, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
José Carlos Brustoloni, Laboratory experiments for network security instruction, Journal on Educational Resources in Computing (JERIC), v.6 n.4, p.5-es, December 2006
Almut Herzog , Nahid Shahmehri, User help techniques for usable security, Proceedings of the 2007 symposium on Computer human interaction for the management of information technology, March 30-31, 2007, Cambridge, Massachusetts
Peter Gutmann, PKI design for the real world, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
Sławomir Grzonkowski , Wojciech Zaremba , Maciej Zaremba , Bill McDaniel, Extending web applications with a lightweight zero knowledge proof authentication, Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology, October 28-31, 2008, Cergy-Pontoise, France
Chwan Hwa John Wu , Tong Liu, Simulation for intrusion-resilient, DDoS-resistant authentication system (IDAS), Proceedings of the 2008 Spring simulation multiconference, April 14-17, 2008, Ottawa, Canada

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)
          Subjects: Interaction styles (e.g., commands, menus, forms, direct manipulation)

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
          Subjects: Human factors
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)
          Subjects: Evaluation/methodology; Screen design (e.g., text, graphics, color)

  I. Computing Methodologies
  I.3 COMPUTER GRAPHICS
      I.3.6 Methodology and Techniques
          Subjects: Interaction techniques


General Terms:
Human Factors, Security


Keywords:
HTTPS, SSL, Web browser, certificate, eavesdropping attack, just-in-time instruction, man-in-the-middle attack, password, safe staging, well-in-advance instruction

Collaborative Colleagues:
Haidong Xia: colleagues
José Carlos Brustoloni: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player