preventing sslstripping attack using visual security cues – an empirical study dongwan shin and...
TRANSCRIPT
![Page 1: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/1.jpg)
Preventing SSLStripping AttackUsing Visual Security Cues – An empirical study
Dongwan Shin and Rodrigo LopesProceedings of the 27th Annual Computer Security Applications Conference, ser. ACSAC '11
SRIRAM A S
![Page 2: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/2.jpg)
Introduction
• Attack reported at Blackhat conference in 2009
• Attacks SSL
• Man-In-The-Middle Type
• Attack Exploits browsing habits (usability flaw) and not technical flaw
• Preventing attack through Visual cues- SSLight Blinking Background
![Page 3: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/3.jpg)
What is SSLStripping?
facebook.comhttp://www.facebook.com
https://login.facebook.com
![Page 4: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/4.jpg)
What is SSLStripping?
facebook.com
http://www.facebook.com
https://login.facebook.comhttp://login.facebook.com
Attacker [Man In The Middle] !!
![Page 5: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/5.jpg)
SSLStripping Countermeasure
Classic Pop-up menu warning
![Page 6: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/6.jpg)
Pop-up warning: Empirical Study
Comparison of having a Pop-up window against No warning,
Submit Not Submit
No Warning 25 0
Pop-up Window 24 1
Result-User ignores warning
![Page 7: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/7.jpg)
New Approach: Visual Cues
if Https-Initial() return green-signalelse if formAction ≠ https return red-signal else Further-Analysis()
Further-Analysis()if ¬Verify-SSL-Certificate() return red-signalelse if form.act.loc.hostname ≠ doc.loc.hostname if White-List(form.act.loc.hostname) return green-signal else return yellow-signal else return green-signal
Pseudo code
Visual Cue: SSLight
![Page 8: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/8.jpg)
Visual Security Cues: Types
1. SSLight
![Page 9: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/9.jpg)
Visual Security Cues: Types
2. Blinking Background
![Page 10: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/10.jpg)
Effectiveness of Visual Cues
Comparison of having a Pop-up window against different Visual Security Clues,
Submit Not Submit
Pop-up Window 24 1
SSLight 16 9
Blinking 8 17
![Page 11: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/11.jpg)
To Appreciate
• Visual cues displayed on the login fields attracts users.
CurrentVisual Cue
NewApproach
![Page 12: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/12.jpg)
To Criticize
• What if the attacker hacks the list of trusted long entities used for validation?
• Experimental studies with University students demographic.
• Exit survey - no significant difference in the user ratings of the three methods to prevent attack.
![Page 13: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/13.jpg)
Question
• Should the user needs to put an extra effort to understand the basic structure of data encryption, security protocols and browser warnings?
![Page 14: Preventing SSLStripping Attack Using Visual Security Cues – An empirical study Dongwan Shin and Rodrigo Lopes Proceedings of the 27th Annual Computer Security](https://reader033.vdocuments.site/reader033/viewer/2022051416/56649ea95503460f94bad2cd/html5/thumbnails/14.jpg)
Thank You