preventing sslstripping attack using visual security cues – an empirical study dongwan shin and...
TRANSCRIPT
Preventing SSLStripping AttackUsing Visual Security Cues – An empirical study
Dongwan Shin and Rodrigo LopesProceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC '11
SRIRAM A S
Introduction
• Attack reported at Blackhat conference in 2009
• Attacks SSL
• Man-In-The-Middle Type
• Attack Exploits browsing habits (usability flaw) and not technical flaw
• Preventing attack through Visual cues- SSLight Blinking Background
What is SSLStripping?
facebook.comhttp://www.facebook.com
https://login.facebook.com
What is SSLStripping?
facebook.com
http://www.facebook.com
https://login.facebook.comhttp://login.facebook.com
Attacker [Man In The Middle] !!
SSLStripping Countermeasure
Classic Pop-up menu warning
Pop-up warning: Empirical Study
Comparison of having a Pop-up window against No warning,
Submit Not Submit
No Warning 25 0
Pop-up Window 24 1
Result-User ignores warning
New Approach: Visual Cues
if Https-Initial() return green-signalelse if formAction ≠ https return red-signal else Further-Analysis()
Further-Analysis()if ¬Verify-SSL-Certificate() return red-signalelse if form.act.loc.hostname ≠ doc.loc.hostname if White-List(form.act.loc.hostname) return green-signal else return yellow-signal else return green-signal
Pseudo code
Visual Cue: SSLight
Visual Security Cues: Types
1. SSLight
Visual Security Cues: Types
2. Blinking Background
Effectiveness of Visual Cues
Comparison of having a Pop-up window against different Visual Security Clues,
Submit Not Submit
Pop-up Window 24 1
SSLight 16 9
Blinking 8 17
To Appreciate
• Visual cues displayed on the login fields attracts users.
CurrentVisual Cue
NewApproach
To Criticize
• What if the attacker hacks the list of trusted long entities used for validation?
• Experimental studies with University students demographic.
• Exit survey - no significant difference in the user ratings of the three methods to prevent attack.
Question
• Should the user needs to put an extra effort to understand the basic structure of data encryption, security protocols and browser warnings?
Thank You