Presentation By :- Krishna Sai Mulpuri

Slides:



Advertisements
Similar presentations
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Internet Phishing Not the kind of Fishing you are used to.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
1 Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup Cynthia KuoCarnegie Mellon University.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Module 9: Fundamentals of Securing Network Communication.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Living Online Lesson 3 Using the Internet IC3 Basics Internet and Computing Core Certification Ambrose, Bergerud, Buscge, Morrison, Wells-Pusins.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Can SSL and TOR be intercepted? Secure Socket Layer.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.
ENCRYPTION, SSL, CERTIFICATES RACHEL AKISADA & MELANIE KINGSLEY.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
Presentation By :- ADARSH PILLAY
BUILDING AND IMPLEMENT A EMBEDDED WEB SERVER BASE ON TCP/IP STACK WITH A SoC PLATFORM Professor : CHI-JO WANG Name : Bui Quang Hoa (M982b211)
Key management issues in PGP
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
Setting and Upload Products
Web Applications Security Cryptography 1
Apache web server Quick overview.
SSL Certificates for Secure Websites
Tutorial on Creating Certificates SSH Kerberos
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Secure Sockets Layer (SSL)
Publishing and Maintaining a Website
How to Check if a site's connection is secure ?
Tutorial on Creating Certificates SSH Kerberos
Information and Network Security
CS 142 Lecture Notes: Network Security
Digital Certificates HUIT IT Security | May
Nessus Vulnerability Scanning
CS 142 Lecture Notes: Network Security
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
Lesson 9: GUI HTML Editors and Mobile Web Sites
A Programmer’s Guide to Secure Connections
Created by : Ashish Shah, J.M. PATEL COLLEGE OF COMMERCE
CS 142 Lecture Notes: Network Security
CS – E-commerce Technologies – Lecture 07
Introduction to Let’s Encrypt
Presentation transcript:

Presentation By :- Krishna Sai Mulpuri An Empirical Evaluation of Security Indicators in Mobile Web Browsers Chaitrali Amrutkar, Patrick Traynow and Paul C. van Oorschot Presentation By :- Krishna Sai Mulpuri

CONTENT Section 1 Introduction Section 2 Terminologies and Guidelines Observations of Results Section 4 Additional Results Section 5 User’s interaction and Possible attacks Section 6 Conclusion

Introduction Mobile platform is very popular in the 21st century, it provides a rich set of features that often rival their desktop counterparts. Mobile platform in combination of strong cryptographic tools including SSL/TLS, allows users to become increasingly reliant upon mobile devices to enable sensitive personal, social and financial exchanges. A 2011 report indicates that mobile users are three times more likely to access phishing websites than desktop users. W3C has set forth some guidelines to convey security for web user interface. Some experiments are performed on browsers of both mobile and desktop.

W3C TERMINOLOGIES User Interface Elements Trust Anchor Root Trusted Root Certificates Pinning Identity Signal Strong TLS Weak TLS Error Messages

W3C GUIDELINES Identity Signal : Availability Certificates : Required Content TLS Indicators Significance of presence Content & Indicator Proximity Availability & Robustness Robustness : Visibility of Indicators Error Messages Interruption Proceeding Options Inhibit Interaction

AUTHORS TEST SETUP

IDENTITY SIGNAL Contains information about website owner and corresponding certificate issuer information

CERTIFICATES MUST provide reasons of TRUST Domain Name Reason of Trust accepted interactively or not self-signed or not presented to user or not

CERTIFICATES

TLS INDICATORS Availability Robustness Significance of Presence Content & Indicator Proximity Availability Robustness

TLS INDICATORS

SOME OBSERVATIONS OF TLS INDICATORS

ROBUSTNESS Web content MUST NOT obscure the security user interface. Some TLS indicators on UI are lock icon, site identity button, https URL prefix. visibility is dependent on screen and its properties.

ERROR MESSAGES Interruption Proceeding Options Inhibit Operation

SOME OBSERVATIONS OF ERROR MESSAGES

ADDITIONAL RESULTS(+ve) SSL version 2 MUST NOT hold strong and after the experiment authors found that None of the browsers in either mobile or tablet support it. The NULL Cipher is one of the most dangerous ciphers as it represents lack of an encrypted communication channel. Authors found that None of the browsers either in mobile or tablet support the null cipher.

ADDITIONAL RESULTS(-ve) Browser supporting weak cipher can enable a network attacker to break the encrypted messages . Authors perform check on DES-CBC-SHA weak cipher. Observations 6 mobile & tablet browsers support weak cipher. Others display error messages conveying absence of encryption protocol with server.

Phishing using compromised CA POSSIBLE ATTACKS Four types of are discussed which are possible due to violation of one or more W3C Guidelines. attacks If W3C Guidelines are not followed then users can be easily misled about the identity of the website or the security of the connection. Phishing without SSL Phishing with SSL Phishing using compromised CA Industrial Espionage

PHISHING WITHOUT SSL Attacker masquerades as a trustworthy entity in the attack as closely imitates the legitimate website’s identity along with lock icon spoofing, launching attack without SSL on browser. Domain name quite similar to legitimate website which provides an impression of correct identity of website. Makes the favicon a lock image which provides an illusion for strong encryption. When rendered in a browser where URL viewing is difficult or doesn’t offer a UI to view identity information of website, then even advance user might get subjected to phishing.

PHISHING WITH SSL Spoofing only lock icon is not adequate for a successful phishing attack. An attacker can buy an inexpensive SSL Certificate for website to increase credibility of attack.

PHISHING USING COMPROMISED CA Attacker obtains rogue certificates for legitimate websites by compromising CA. If a browser trusts a CA then it doesn’t checks if CA is compromised or not. An expert user can verify certificate issuer’s organization in the chain, thus not interacting with malicious website having a rogue certificate. But if browser doesn’t allow user interface to have certificate viewing, then even an expert user can be subjected to phishing attack. PHISHING USING COMPROMISED CA

CONCLUSION Modern mobile browsers enable a wide range of sensitive operations over SSL/TLS connections. They lack behind when compared with desktops, due to the small scree size. small screen size of mobile browsers causes lot of inconsistencies in the presentation of SSL indicators. Addition of EV-SSL certificates make the mobile ecosystem more complex without producing much benefits. Even for expert users, detecting security issues is not easy, which makes the life of average users much harder.

Questions?

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.