Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu.

Published byRegina Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu."— Presentation transcript:

1 An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu Date: 2011-12-20

2 outline Introduction Related work Our approach User study Discussion Conclusion

3 Introduction SSLstripping attack introduced at the Blackhat conference in 2009 SSLstripping attack It attacks secure socket layer (SSL), which is the most widely used security mechanism that enables secure communication establishment between two parties over the Internet. As a type of man-in the-middle (MITM) attack, the attack could affect tens of millions of online users of popular SSL-protected web sites such as Facebook.com.

4

5

6 Related work Nikiforakis et al. proposed an approach to leveraging a client side HTTP proxy, which, relying on browser history, would compare the current request with previous requests made to the same website it fails to address several issues ◦ it requires a browser history ◦ This automatically excludes all users that do not save browsing history it assumes that the attack is never a zero day attack

7

8 Our approach

9

10

11 We developed an algorithm that will ◦ look at the web page source code and ◦ output an evaluation based on the comparison of the web page’s address and ◦ the login form’s action data, which has an URL where credentials will be submitted

12 if the page loaded by the web browser is already being accessed over SSL. if the certificate proves not to be invalid, we compare the domain in the form action with the domain of the loaded page

13 User study General awareness of secure form submission Effectiveness of SSLstripping, given the awareness Unhelpfulness of an existing method Helpfulness of visual cue-based methods Effectiveness of different visual cue methods

14 Group 1: Exposed to the attack with no warning Group 2: Exposed to the attack with the standard pop-up warning dialog Group 3: Exposed to the attack with the SSLight warning in the login form fields Group 4: Exposed to the attack with the blinking background in the login form fields

15

16

17 User study results

18

19

20

21 Discussion

22

23

24

25 CONCLUSION the proposed solutions are more effective and efficient in preventing the SSLstripping attack than the classic pop- up window method. We see the emergence of long solved security flaws in new devices, as is the case of the recent browser user interface spoofing in iPhone.

Download ppt "An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu."

Similar presentations

Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.

Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
By: Ansuya Chauhan.

By: Ansuya Chauhan.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Similar presentations

Ads by Google