ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Security and identification indicators for browsers against spoofing and phishing attacks
Full text PdfPdf (3.67 MB)
Source
ACM Transactions on Internet Technology (TOIT) archive
Volume 8 ,  Issue 4  (September 2008) table of contents
Article No. 16  
Year of Publication: 2008
ISSN:1533-5399
Authors
Amir Herzberg  Bar Ilan University, Ramat-Gan, Israel
Ahmad Jbara  Bar Ilan University, Ramat-Gan, Israel
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 70,   Downloads (12 Months): 953,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1391949.1391950
What is a DOI?

ABSTRACT

In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several vulnerabilities of browsers, focusing on security and identification indicators.

We present improved security and identification indicators, as we implemented in TrustBar, a browser extension we developed. With TrustBar, users can assign a name or logo to identify SSL/TLS-protected sites; if users did not assign a name or logo, TrustBar identifies protected sites by the name or logo of the site, and by the certificate authority (CA) who identified the site.

We present usability experiments which compared TrustBar's indicators to the basic indicators available in most browsers (padlock, URL, and https prefix), and some relevant secure-usability principles.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anti-Phishing Working Group. 2006. Phishing activity trends report. http://www.antiphishing.org/reports/apwg_report_May2006.pdf.
 
2
Anti-Phishing Working Group. 2005. Phishing archive. http://www.antiphishing.org/.
3
Hovav Shacham , Dan Boneh , Eric Rescorla, Client-side caching for TLS, ACM Transactions on Information and System Security (TISSEC), v.7 n.4, p.553-575, November 2004  [doi>10.1145/1042031.1042034]
 
4
Chi-Yin Chow , Hong Va Leong , Alvin T. S. Chan, Group-Based Cooperative Cache Management for Mobile Clients in a Mobile Environment, Proceedings of the 2004 International Conference on Parallel Processing, p.83-90, August 15-18, 2004  [doi>10.1109/ICPP.2004.39]
 
5
Citibank Corporation. 2004. Learn about or report fraudulent e-mails. http://www.citibank.com/domain/spoof/report_abuse.htm.
 
6
Close, T. 2006. Petname tool: Enabling Web site recognition using the existing SSL infrastructure. In W3C Workshop on Transparency and Usability of Web Authentication. http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname/.
7
Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073009]
8
Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124861]
 
9
Carl M. Ellison, The nature of a useable PKI, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.9, p.823-830, April 23, 1999
 
10
Ellison, C. and Schneier, B. 2000. Ten risks of PKI: What you're not being told about public key infrastructure. Comput. Security J. 16, 1, 1--7. http://www.schneier.com/paper-pki.html.
 
11
C. Ellison , B. Frantz , B. Lampson , R. Rivest , B. Thomas , T. Ylonen, SPKI Certificate Theory, RFC Editor, 1999
 
12
Emigh, A. 2005. Online identity theft: Technology, chokepoints and countermeasures. Rep., Department of Homeland Security- SRI International Identity Theft Technology Council. October. http://www.antiphishing.org/Phishing-dhs-report.pdf.
 
13
Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD. Also Tech. Rep. 540-96, Department of Computer Science, Princeton University. October.
 
14
Franco, R. 2004. Better Website identification and extended validation certificates in IE7 and other browsers. In Microsoft Developer Network's IEBlog. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.
 
15
Kevin Fu , Emil Sit , Kendra Smith , Nick Feamster, Dos and don'ts of client authentication on the web, Proceedings of the 10th conference on USENIX Security Symposium, p.19-19, August 13-17, 2001, Washington, D.C.
16
Evgeniy Gabrilovich , Alex Gontmakher, The homograph attack, Communications of the ACM, v.45 n.2, February 2002  [doi>10.1145/503124.503156]
 
17
Gasparini, L. A. and Gotlieb, C. E. 2006. Method and apparatus for authentication of users and Web sites. U.S. patent number 7100049.
 
18
Grigg, I. 2004a. personal communication.
 
19
Grigg, I. 2004b. PKI considered harmful. http://iang.org/ssl/pki_considered_harmful.html.
 
20
Grigg, I. 2004c. Phishing I: Penny black leads to billion dollar loss. http://www.financial cryptography.com/mt/archives/000159.html.
 
21
Harmon, A. 2004. Amazon glitch unmasks war of reviewers. http://www.nytimes.com/2004/02/14/technology/14AMAZ.html?ex=1392094800&en=183dc1d16a0c7b4c&ei=5007.
 
22
Amir Herzberg, Web Spoofing and Phishing Attacks and Their Prevention, Proceedings of the Fifth Mexican International Conference in Computer Science, p.3, September 20-24, 2004
 
23
Herzberg, A. 2006b. Browsers' defenses against phishing, spoofing and malware. Rep. 2006/083, Cryptology ePrint Archive. http://eprint.iacr.org/2006/083.
24
Amir Herzberg, Payments and banking with mobile personal devices, Communications of the ACM, v.46 n.5, p.53-58, May 2003  [doi>10.1145/769800.769801]
 
25
Herzberg, A. and Jbara, A. 2004. TrustBar: Protecting (even naïve) Web users from spoofing and phishing attacks. Rep. 2004/155, Cryptology ePrint Archive. http://eprint.iacr.org.
 
26
A. Herzberg , D. Naor, Surf'N'Sign: client signatures on Web documents, IBM Systems Journal, v.37 n.1, p.61-71, 1997
 
27
Jackson, C., Simon, D., Tan, D., and Barth, A. 2007. An evaluation of extended validation and picture-in-picture phishing attacks. http://usablesecurity.org/papers/jackson.pdf.
 
28
Jakobsson, M. 2005. Modeling and preventing phishing attacks. http://www.informatics.indiana.edu/markus/papers/publishing_jakobsson.pdf.
 
29
Jeff Johnson, GUI bloopers: don'ts and do's for software developers and Web designers, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2000
 
30
Audun Jøsang , Mary Anne Patton, User interface requirements for authentication of communication, Proceedings of the Fourth Australasian user interface conference on User interfaces 2003, p.75-80, February 01, 2003, Adelaide, Australia
 
31
Jøsang, A., Patton, M. A., and Ho, A. 2001. Authentication for humans. In Proceedings of the 9th International Conference on Telecommunication Systems (ICTS), B. Gavish, ed. Cox School of Business, Southern Methodist University, Dallas, TX.
 
32
Kohlas and Maurer, U. 2000. Reasoning about public-key certification: On bindings between entities and public keys. IEEE J. Selected Areas Commun. 18, 4 (Apr.).
 
33
David P. Kormann , Aviel D. Rubin, Risks of the passport single signon protocol, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.51-58, June 2000, Amsterdam, The Netherlands
 
34
Birgit Pfitzmann , Michael Steiner , Michael Waidner , Gerard Lacoste, Semper--Secure Electronic Marketplace for Europe, Springer-Verlag New York, Inc., Secaucus, NJ, 2000
 
35
Lefranc, S. and Naccache, D. 2003. Cut-and-Paste attacks with Java. In Proceedings of the 5th International Conference on Information Security and Cryptology (ICISC). Lecture Notes in Computer Science, vol. 2587. Springer, 1--15.
 
36
Li, T. and Yongdong, W. 2003. Trust on Web browser: Attack vs. defense. In Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), Kunming, China. Lecture Notes in Computer Science, Springer.
 
37
Litan, A. 2004. Phishing attack victims likely targets for identity theft. Gartner FirstTake Rep. FT-22-8873. Gartner Research. May.
 
38
Patrick McDaniel , Aviel D. Rubin, A Response to ''Can We Eliminate Certificate Revocation Lists?'', Proceedings of the 4th International Conference on Financial Cryptography, p.245-258, February 20-24, 2000
 
39
Micali, S. 1997. Efficient certificate revocation. In Proceedings of the RSA Data Security Conference.
 
40
Microsoft Corporation. 2004. The coordinated spam reduction initiative. http://www.microsoft.com/downloads/details.aspx?familyid=5577782e-462d-4bbe-92e5-b38c575229e4&sdisplaylang=en.
 
41
Modadugu, N. and Rescorla, E. 2004. The design and implementation of Datagram TLS. In Proceedings of the Network and Distributed System Security Symposium (NDSS). to appear.
 
42
Jakob Nielsen, Usability Engineering, Morgan Kaufmann Publishers Inc., San Francisco, CA, 1993
 
43
Pftizmann, A., Pftizmann, B., Schunter, M., and Waidner, M. 1999. Trustworthy user devices. In Multilateral Security in Communications, G. Muller and K. Rannenberg, eds. Addison-Wesley, 137--156. Earlier version: Trusting mobile user devices and security modules. IEEE Comput. 30, 2 (Feb.), 61--68.
 
44
Rescorla, E. 2000. SSL and TLS: Designing and Rebuilding Secure Systems. Addison-Wesley.
 
45
A. D. Rubin, Trusted distribution of software over the Internet, Proceedings of the 1995 Symposium on Network and Distributed System Security (SNDSS'95), p.47, February 16-17, 1995
 
46
S. Santesson , R. Housley , T. Freeman, Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates, RFC Editor, 2004
 
47
Stuart E. Schechter , Rachna Dhamija , Andy Ozment , Ian Fischer, The Emperor's New Security Indicators, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.51-65, May 20-23, 2007  [doi>10.1109/SP.2007.35]
 
48
Security Focus. 2003. Multiple browser URI display obfuscation weakness. http://www.security focus.com/bid/9182/discussion/.
 
49
Tally, G., Thomas, R., and van Vleck, T. 2004. Anti-Phishing: Best practices for institutions and consumers. McAfee Research. March. http://www.networkassociates.com/us/_tier2/products/_media/mcafee.wp_antiphishing.pdf.
 
50
Tay, H. 2004. Visual validation of SSL certificates in the Mozilla browser using hash images. Computer Science Honors thesis, School of Computer Science, Carnegie Mellon University.
 
51
Webtrust. 2004. Frequently asked questions about WebTrust. The American Institute of Certified Public Accountants.
 
52
Alma Whitten , J. D. Tygar, Why Johnny can't encrypt: a usability evaluation of PGP 5.0, Proceedings of the 8th conference on USENIX Security Symposium, p.14-14, August 23-26, 1999, Washington, D.C.
53
Min Wu , Robert C. Miller , Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124863]
 
54
Yahoo, Incorporated. 2006. Give password scams the boot with personalized sign-in seals. https://protect.login.yahoo.com/.
55
Zishuang (Eileen) Ye , Sean Smith , Denise Anthony, Trusted paths for browsers, ACM Transactions on Information and System Security (TISSEC), v.8 n.2, p.153-186, May 2005  [doi>10.1145/1065545.1065546]
 
56
Ye, E. Z., Yuan, Y., and Smith, S. 2002. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417. February.
 
57
Ka Yee, User Interaction Design for Secure Systems, University of California at Berkeley, Berkeley, CA, 2002
58
Ka-Ping Yee , Kragen Sitaker, Passpet: convenient password management and phishing protection, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania  [doi>10.1145/1143120.1143126]
 
59
Philip R. Zimmermann, The official PGP user's guide, MIT Press, Cambridge, MA, 1995

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.4 INFORMATION SYSTEMS APPLICATIONS
      H.4.3 Communications Applications
          Subjects: Information browsers

Additional Classification:
  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.4 Electronic Commerce
          Subjects: Security
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


General Terms:
Design, Experimentation, Human Factors


Keywords:
Human-computer interaction, Web spoofing, phishing, secure usability

Collaborative Colleagues:
Amir Herzberg: colleagues
Ahmad Jbara: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player