Upload File

preventing sslstripping attack using visual security cues – an empirical study dongwan shin and...

  • Home
  • Documents
  • Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security
14
Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC '11 SRIRAM A S

Upload: virgil-allison

Post on 12-Jan-2016

215 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Preventing SSLStripping AttackUsing Visual Security Cues – An empirical study

Dongwan Shin and Rodrigo LopesProceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC '11

SRIRAM A S

Page 2: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Introduction

• Attack reported at Blackhat conference in 2009

• Attacks SSL

• Man-In-The-Middle Type

• Attack Exploits browsing habits (usability flaw) and not technical flaw

• Preventing attack through Visual cues- SSLight Blinking Background

Page 3: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

What is SSLStripping?

facebook.comhttp://www.facebook.com

https://login.facebook.com

Page 4: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

What is SSLStripping?

facebook.com

http://www.facebook.com

https://login.facebook.comhttp://login.facebook.com

Attacker [Man In The Middle] !!

Page 5: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

SSLStripping Countermeasure

Classic Pop-up menu warning

Page 6: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Pop-up warning: Empirical Study

Comparison of having a Pop-up window against No warning,

Submit Not Submit

No Warning 25 0

Pop-up Window 24 1

Result-User ignores warning

Page 7: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

New Approach: Visual Cues

if Https-Initial() return green-signalelse if formAction ≠ https return red-signal else Further-Analysis()

Further-Analysis()if ¬Verify-SSL-Certificate() return red-signalelse if form.act.loc.hostname ≠ doc.loc.hostname if White-List(form.act.loc.hostname) return green-signal else return yellow-signal else return green-signal

Pseudo code

Visual Cue: SSLight

Page 8: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Visual Security Cues: Types

1. SSLight

Page 9: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Visual Security Cues: Types

2. Blinking Background

Page 10: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Effectiveness of Visual Cues

Comparison of having a Pop-up window against different Visual Security Clues,

Submit Not Submit

Pop-up Window 24 1

SSLight 16 9

Blinking 8 17

Page 11: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

To Appreciate

• Visual cues displayed on the login fields attracts users.

CurrentVisual Cue

NewApproach

Page 12: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

To Criticize

• What if the attacker hacks the list of trusted long entities used for validation?

• Experimental studies with University students demographic.

• Exit survey - no significant difference in the user ratings of the three methods to prevent attack.

Page 13: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Question

• Should the user needs to put an extra effort to understand the basic structure of data encryption, security protocols and browser warnings?

Page 14: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security

Thank You


COEN 351 Internet Security. Network Layer Security Application Layer Security System Security

Corporate Security Service – Security Guard Provider – Security Service:

An Investigation on HTTP/2 Security · 2018. 5. 4. · the active session and cookie data, SSLstripping, which is a type of Man-In-The-Middle (MITM) attack technique through which

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack

Security Target IBM Internet Security Systems GX6116 Security

Food Security EconomicsFood Security Food Security in India

The Mobile Security (mSecurity) Bible: 2014 - 2020 - Device Security, Infrastructure Security & Security Services

ACM SAC 2018 · Haritza Camblong Luiz Armin R. Mikler Hossain Shahriar Dongwan Shin Roger L. Wainwright ... ACM’s primary applications-oriented SIG. Its mission is to

APPLIED COMPUTING 2013 - SIGAPP - Homepage · Tei-Wei Kuo Dongwan Shin ... (12:30pm-2:30pm) Baeksanggwan Hall SAC Luncheon For all Registered ... Applied Computing (SAC 2014)

VENEZUELA Real Property Security Security Interests in ... Property Security, Security... · VENEZUELA Real Property Security Security Interests in Immovables and Related Property

Physical & Personnel Security Physical Security Personnel Security

Network Security - Thierry Sans...SSLStripping attack (challenge coming next) Preventing eavesdropping attacks Preventing packet sniffing over Ethernet Hub : broadcast all messages

HyHy---Security Security Security Gate Operators Gate ... · HyHy---Security Security Security Gate Operators Gate Operators ... and performance of this expertly engineered machine

Security - 1 Security Peter O’Grady. Security - 2 Network Security Problem n Data Flow - transmission security n Network Security - server security n

Portable NMR with Parallelism - Donhee Hamham.seas.harvard.edu/upload/papers/2020/2020...Portable NMR with Parallelism Ka-Meng Lei,†,‡ Dongwan Ha,‡ Yi-Qiao Song,§ Robert M

Design of a MP3 Decoder using the System-On-Chip ...cad/publications/tech-reports/...Design of a MP3 Decoder using the System-On-Chip Environment (SCE) Andreas Gerstlauer Dongwan Shin

Buy the security standards you need shop.bsigroup.com/security Standards Brochure.pdf · Security standards shop.bsigroup.com/security BSI’s Security standards Welcome to our security

General Security Principles and Practices. Security Principles Common Security Principles Security Policies Security Administration Physical Security

Cyber Security Specialist Information Security • Cyber ... · Cyber Security • Security Analyst • Cyber Security Specialist Information Security • Cyber Operations Manager

Security #MiSSConceptsmiss.in.th/MiSSConf(SP2)/slides/Security-MiSSConcept.pdfSenior Security Engineer (AGODA) Penetration Tester Security Consultant. Security #MiSSConcepts. Security

Mobile Services Security: Mobile Platform Security AF Security

For Security Professionals 1 INFORMATION SYSTEM SECURITY SECURITY

An Investigation on HTTP/2 Security 2018-05-04 · the active session and cookie data, SSLstripping, which is a type of Man-In-The-Middle (MITM) attack technique through which a website

Meta-analysis of Randomized Controlled Lipid Profile in ......Faisal Akhtar , Faraz Khalid , Hanzhang Wang , Dongwan Zhang , Xiaolong Gong 1. Neurology, Ochsner Health System 2. Global

Round Result - Amazon S3s3.amazonaws.com/bitter_eventmanager/aocrc/2018 AOC... · 1 Dongwan Jo 1 17/5:12.568 5 0/0.000 1 [1] 17/5:12.568 2 Lee In Sub 5 15/5:01.070 1 16/5:18.714 1

MetaBAT.docx · Web viewMetaBAT.docx Last modified by Dongwan Kang Company JGI

Evolución Fortinet Security Fabric · Network Security Network Security Cloud & Apps Security Multi-Cloud Security Open API Fabric Connectors Infrastructure Security Endpoint Protection

PHYSICAL SECURITY & ENVIRONMENTAL SECURITY · Physical Security & Environmental Security Policy and Procedures Title [company name] Physical Security & Environmental Security Policy

maritime security regulations - UNOLS · Maritime Security Regulations ... ship security – List primary ... Security Plan Port Security Plan Area Maritime Security Transportation

Network Security - Norbert Pohlmann · Security Infrastructure Mobile/Desktop Security Network Security E-Commerce Enabler Internet Security Network Security Secure Communication

Security Admin security

Hardware Security Attacks Security Architecture Hardware Security

SECURITY Security

Scalable NMR spectroscopy with semiconductor chipsham.seas.harvard.edu/upload/papers/2014/scalable.pdf · Scalable NMR spectroscopy with semiconductor chips Dongwan Haa, Jeffrey Paulsenb,

Remote Filtering - Web Security, Email Security, Data Security