Conveying Trust Serge Egelman
Portal to The Interweb Threats to privacy: Web browser is central Phishing Information interception Fraudulent sites Web browser is central Email IM Detection must occur here
In The Beginning… Man-in-the-middle Sniffing SSL solved these Browser SSL indicators Locks Keys Borders URL bar
SSL Indicators Microsoft IE Mozilla Firefox Safari
But What About Phishing? Toolbars User notification Audio Pop-ups Indicators Community ratings Heuristics
Phishing Toolbars Clear Search Scans email using heuristics
Phishing Toolbars Cloudmark Community ratings
Phishing Toolbars eBay Toolbar Community ratings
Phishing Toolbars SpoofGuard URL analysis Password analysis Image analysis
Phishing Toolbars Trustbar (Mozilla) Analyzes known sites Analyzes certificate information
Phishing Toolbars Trustwatch Site ratings
But Do They Work? No 25 Sites tested Cloudmark: 10 (40%) identified Netcraft: 19 (76%) identified Spoofguard: 10 (40%) identified Trustwatch: 9 (36%) identified
Activity #1 Download a phishing toolbar: Pros? Cons? Is it usable? http://www.cloudmark.com/desktop/download/ http://pages.ebay.com/ebay_toolbar/ http://crypto.stanford.edu/SpoofGuard/ http://trustbar.mozdev.org/ http://toolbar.trustwatch.com/ http://toolbar.netcraft.com/ Pros? Cons? Is it usable? How could it be circumvented?
Other Browser Plugins Previously mentioned toolbars Phishing Fraudulent sites Limited intelligence
Password Hashing Many users use same passwords Hashing solves this One compromise leads to many Knowing real password doesn’t help Hashing solves this Passwords hashed automatically with domain name User doesn’t know the difference Mozilla extension
Dynamic Security Skins User remembers one image Trusted window User remembers one password Ease of use Sites get hashed password Matches two patterns to trust server Generated using a shared secret
Trusted Window
Verifying Sites
Using Tokens Two factor authentication SecureID Smart cards Something you have Usually cryptographic SecureID Smart cards Random cryptographic tokens Scratch cards
Using Phones Client side certificates Keys linked to domain names Private keys generated/stored on phone New key for each phone Keys linked to domain names Key generated upon new connection Bluetooth No server modifications
Current Browser Support Hardware drivers Crappy browser support Example Simple text box Make using the device unobtrusive Activity #2
False Sense of Security JavaScript tricks ING example MITM Spyware Stored images Bank of America example CAPTCHAs
Activity #3 What security features really need to be prominent?