Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation By :- Krishna Sai Mulpuri

Published byFerdinand Jones Modified over 6 years ago

Similar presentations

Presentation on theme: "Presentation By :- Krishna Sai Mulpuri"— Presentation transcript:

1 Presentation By :- Krishna Sai Mulpuri
An Empirical Evaluation of Security Indicators in Mobile Web Browsers Chaitrali Amrutkar, Patrick Traynow and Paul C. van Oorschot Presentation By :- Krishna Sai Mulpuri

2 CONTENT Section 1 Introduction Section 2 Terminologies and Guidelines
Observations of Results Section 4 Additional Results Section 5 User’s interaction and Possible attacks Section 6 Conclusion

3 Introduction Mobile platform is very popular in the 21st century, it provides a rich set of features that often rival their desktop counterparts. Mobile platform in combination of strong cryptographic tools including SSL/TLS, allows users to become increasingly reliant upon mobile devices to enable sensitive personal, social and financial exchanges. A 2011 report indicates that mobile users are three times more likely to access phishing websites than desktop users. W3C has set forth some guidelines to convey security for web user interface. Some experiments are performed on browsers of both mobile and desktop.

4 W3C TERMINOLOGIES User Interface Elements Trust Anchor Root
Trusted Root Certificates Pinning Identity Signal Strong TLS Weak TLS Error Messages

5 W3C GUIDELINES Identity Signal : Availability
Certificates : Required Content TLS Indicators Significance of presence Content & Indicator Proximity Availability & Robustness Robustness : Visibility of Indicators Error Messages Interruption Proceeding Options Inhibit Interaction

6 AUTHORS TEST SETUP

7 IDENTITY SIGNAL Contains information about website owner and corresponding certificate issuer information

8 CERTIFICATES MUST provide reasons of TRUST Domain Name Reason of Trust
accepted interactively or not self-signed or not presented to user or not

9 CERTIFICATES

10 TLS INDICATORS Availability Robustness Significance of Presence
Content & Indicator Proximity Availability Robustness

11 TLS INDICATORS

12 SOME OBSERVATIONS OF TLS INDICATORS

13 ROBUSTNESS Web content MUST NOT obscure the security user interface.
Some TLS indicators on UI are lock icon, site identity button, https URL prefix. visibility is dependent on screen and its properties.

14 ERROR MESSAGES Interruption Proceeding Options Inhibit Operation

15 SOME OBSERVATIONS OF ERROR MESSAGES

16 ADDITIONAL RESULTS(+ve)
SSL version 2 MUST NOT hold strong and after the experiment authors found that None of the browsers in either mobile or tablet support it. The NULL Cipher is one of the most dangerous ciphers as it represents lack of an encrypted communication channel. Authors found that None of the browsers either in mobile or tablet support the null cipher.

17 ADDITIONAL RESULTS(-ve)
Browser supporting weak cipher can enable a network attacker to break the encrypted messages . Authors perform check on DES-CBC-SHA weak cipher. Observations 6 mobile & tablet browsers support weak cipher. Others display error messages conveying absence of encryption protocol with server.

18 Phishing using compromised CA
POSSIBLE ATTACKS Four types of are discussed which are possible due to violation of one or more W3C Guidelines. attacks If W3C Guidelines are not followed then users can be easily misled about the identity of the website or the security of the connection. Phishing without SSL Phishing with SSL Phishing using compromised CA Industrial Espionage

19 PHISHING WITHOUT SSL Attacker masquerades as a trustworthy entity in the attack as closely imitates the legitimate website’s identity along with lock icon spoofing, launching attack without SSL on browser. Domain name quite similar to legitimate website which provides an impression of correct identity of website. Makes the favicon a lock image which provides an illusion for strong encryption. When rendered in a browser where URL viewing is difficult or doesn’t offer a UI to view identity information of website, then even advance user might get subjected to phishing.

20 PHISHING WITH SSL Spoofing only lock icon is not adequate for a successful phishing attack. An attacker can buy an inexpensive SSL Certificate for website to increase credibility of attack.

21 PHISHING USING COMPROMISED CA
Attacker obtains rogue certificates for legitimate websites by compromising CA. If a browser trusts a CA then it doesn’t checks if CA is compromised or not. An expert user can verify certificate issuer’s organization in the chain, thus not interacting with malicious website having a rogue certificate. But if browser doesn’t allow user interface to have certificate viewing, then even an expert user can be subjected to phishing attack. PHISHING USING COMPROMISED CA

22 CONCLUSION Modern mobile browsers enable a wide range of sensitive operations over SSL/TLS connections. They lack behind when compared with desktops, due to the small scree size. small screen size of mobile browsers causes lot of inconsistencies in the presentation of SSL indicators. Addition of EV-SSL certificates make the mobile ecosystem more complex without producing much benefits. Even for expert users, detecting security issues is not easy, which makes the life of average users much harder.

23 Questions?

24 THANK YOU

Download ppt "Presentation By :- Krishna Sai Mulpuri"

Similar presentations

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.

The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
1 Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup Cynthia KuoCarnegie Mellon University.

1 Low-cost Manufacturing, Usability, and Security: An Analysis of Bluetooth Simple Pairing and Wi-Fi Protected Setup Cynthia KuoCarnegie Mellon University.

Similar presentations

Ads by Google