Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

Published byCarmel Melton Modified over 9 years ago

Similar presentations

Presentation on theme: "An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications."— Presentation transcript:

1 An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications Conference, (Orlando, Florida, 2011), ACM, 287-296. Presented by: Ilya (Michael) Litvinenko

2 SSLstripping Web Browser Web Server Attacker b. Semantic attack- targets how humans assign meaning to the content a. Type of MITM attack: Our user/victim 1 2 1.User interaction – Authors’ focus 2.Attack mechanism: the attacker strips users’ session of its security

3 Existing visual cues 3. Pop up warning windows (e.g. Mozilla Firefox, Internet Explorer, Google Chrome) Authors’ focus for the comparison with their approach 1. Lock icon 2. Extended validation certificates

4 Suggested solution Security status light (SSLight): Google Chrome web browser extension analyzes web page source code and output an evaluation based on the comparison web page’s address and login form’s action data ads a ‘traffic light’ cue to login form field The traffic light extension The Blinking background extension

5 Experiment design Purpose – to compare effectiveness of the existing solutions with SSLight Case study : 100 people divided into 4 groups Using facebook with SSLstripping injected In the end users are asked questions about understanding secure form submissions The First Hypothesis to prove: General awareness of secure form submissions

6 Critique: Hypothesis 1 The Authors then state – from these results, our first hypothesis is confirmed, and we can assume that the average user is aware of the dangers of submitting data over the network using forms over plain http. I think that the difference and awareness of the dangers are two different things. Hypothesis one is not well supported. That makes me wonder about all their conclusions Task: Select all options which indicate unencrypted form submissions. The Authors state that the user will know the difference between encrypted and unencrypted credential submission when they log in to a website.

7 Appreciative comment The authors say that the traffic light metaphor can be used for making better decisions when submitting the sensitive information. I think it is a generalizable idea with a broader context which is wider than the submitting of the sensitive information. For example we could use that idea in security warning messages of the web browsers. Example of SSL certificate warning for Dolphin web browser Suggested example using traffic light metaphor

8 A question. Considering that SSLight solution partially helps to prevent MITM attack and can be compromised, is it better to have it? Will it give user a false assurance ?

Download ppt "An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications."

Similar presentations

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Welcome to the Award Winning Easiest to Use & Most Advanced View, Manage, and Control Security, Access Control, Video, Energy & Lighting Systems, & Critical.

Welcome to the Award Winning Easiest to Use & Most Advanced View, Manage, and Control Security, Access Control, Video, Energy & Lighting Systems, & Critical.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Workshop 6: SSL/TLS The HTTPS stripping attacks Zhou Peng and Daoyuan Wu 25 April 2014.

Workshop 6: SSL/TLS The HTTPS stripping attacks Zhou Peng and Daoyuan Wu 25 April 2014.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
NETWORK SECURITY.

NETWORK SECURITY.
BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.

BROWSERS & BROWSING What, Which & Why. WHAT IS A BROWSER? Once you have an Internet connection, some programs access the internet automatically to operate.
Adware, Spyware, and Malware Anand Dedhia Bharath Raj ECE 4112 Project 28 April 2005.

Adware, Spyware, and Malware Anand Dedhia Bharath Raj ECE 4112 Project 28 April 2005.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google