fucking shit

2,062 views
1,937 views

Published on

big shit

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,062
On SlideShare
0
From Embeds
0
Number of Embeds
52
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

fucking shit

  1. 1. Conveying Trust or Doing Crazy Shit with Web Browsers Serge Egelman
  2. 2. Portal to The Interweb <ul><li>Threats to privacy: </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Information interception </li></ul></ul><ul><ul><li>Fraudulent sites </li></ul></ul><ul><li>Web browser is central </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>IM </li></ul></ul><ul><li>Detection must occur here </li></ul>
  3. 3. In The Beginning… <ul><li>Man-in-the-middle </li></ul><ul><li>Sniffing </li></ul><ul><li>SSL solved these </li></ul><ul><li>Browser SSL indicators </li></ul><ul><ul><li>Locks </li></ul></ul><ul><ul><li>Keys </li></ul></ul><ul><ul><li>Borders </li></ul></ul><ul><ul><li>URL bar </li></ul></ul>
  4. 4. SSL Indicators <ul><li>Microsoft IE </li></ul><ul><li>Mozilla </li></ul><ul><li>Firefox </li></ul><ul><li>Safari </li></ul>
  5. 5. But What About Phishing? <ul><li>Toolbars </li></ul><ul><li>User notification </li></ul><ul><ul><li>Audio </li></ul></ul><ul><ul><li>Pop-ups </li></ul></ul><ul><ul><li>Indicators </li></ul></ul><ul><li>Community ratings </li></ul><ul><li>Heuristics </li></ul>
  6. 6. Phishing Toolbars <ul><li>Clear Search </li></ul><ul><ul><li>Scans email using heuristics </li></ul></ul>
  7. 7. Phishing Toolbars <ul><li>Cloudmark </li></ul><ul><ul><li>Community ratings </li></ul></ul>
  8. 8. Phishing Toolbars <ul><li>eBay Toolbar </li></ul><ul><ul><li>Community ratings </li></ul></ul>
  9. 9. Phishing Toolbars <ul><li>SpoofGuard </li></ul><ul><ul><li>URL analysis </li></ul></ul><ul><ul><li>Password analysis </li></ul></ul><ul><ul><li>Image analysis </li></ul></ul>
  10. 10. Phishing Toolbars <ul><li>Trustbar (Mozilla) </li></ul><ul><ul><li>Analyzes known sites </li></ul></ul><ul><ul><li>Analyzes certificate information </li></ul></ul>
  11. 11. Phishing Toolbars <ul><li>Trustwatch </li></ul><ul><ul><li>Site ratings </li></ul></ul>
  12. 12. But Do They Work? <ul><li>No </li></ul><ul><ul><li>25 Sites tested </li></ul></ul><ul><ul><li>Cloudmark: 10 (40%) identified </li></ul></ul><ul><ul><li>Netcraft: 19 (76%) identified </li></ul></ul><ul><ul><li>Spoofguard: 10 (40%) identified </li></ul></ul><ul><ul><li>Trustwatch: 9 (36%) identified </li></ul></ul>
  13. 13. Activity #1 <ul><li>Download a phishing toolbar: </li></ul><ul><ul><li>http://www.cloudmark.com/desktop/download/ </li></ul></ul><ul><ul><li>http://pages.ebay.com/ebay_toolbar/ </li></ul></ul><ul><ul><li>http://crypto.stanford.edu/SpoofGuard/ </li></ul></ul><ul><ul><li>http://trustbar.mozdev.org/ </li></ul></ul><ul><ul><li>http://toolbar.trustwatch.com/ </li></ul></ul><ul><ul><li>http://toolbar.netcraft.com/ </li></ul></ul><ul><li>Pros? Cons? </li></ul><ul><li>Is it usable? </li></ul><ul><li>How could it be circumvented? </li></ul>
  14. 14. Other Browser Plugins <ul><li>Previously mentioned toolbars </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Fraudulent sites </li></ul></ul><ul><ul><li>Limited intelligence </li></ul></ul>
  15. 15. Password Hashing <ul><li>Many users use same passwords </li></ul><ul><ul><li>One compromise leads to many </li></ul></ul><ul><ul><li>Knowing real password doesn’t help </li></ul></ul><ul><li>Hashing solves this </li></ul><ul><ul><li>Passwords hashed automatically with domain name </li></ul></ul><ul><ul><li>User doesn’t know the difference </li></ul></ul><ul><li>Mozilla extension </li></ul>
  16. 16. Dynamic Security Skins <ul><li>User remembers one image </li></ul><ul><ul><li>Trusted window </li></ul></ul><ul><li>User remembers one password </li></ul><ul><ul><li>Ease of use </li></ul></ul><ul><ul><li>Sites get hashed password </li></ul></ul><ul><li>Matches two patterns to trust server </li></ul><ul><ul><li>Generated using a shared secret </li></ul></ul>
  17. 17. Trusted Window
  18. 18. Verifying Sites
  19. 19. Using Tokens <ul><li>Two factor authentication </li></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Usually cryptographic </li></ul></ul><ul><li>SecureID </li></ul><ul><li>Smart cards </li></ul><ul><li>Random cryptographic tokens </li></ul><ul><li>Scratch cards </li></ul>
  20. 20. Using Phones <ul><li>Client side certificates </li></ul><ul><ul><li>Private keys generated/stored on phone </li></ul></ul><ul><ul><li>New key for each phone </li></ul></ul><ul><li>Keys linked to domain names </li></ul><ul><li>Key generated upon new connection </li></ul><ul><li>Bluetooth </li></ul><ul><li>No server modifications </li></ul>
  21. 21. Current Browser Support <ul><li>Hardware drivers </li></ul><ul><ul><li>Crappy browser support </li></ul></ul><ul><ul><li>Example </li></ul></ul><ul><li>Simple text box </li></ul><ul><li>Make using the device unobtrusive </li></ul><ul><li>Activity #2 </li></ul>
  22. 22. False Sense of Security <ul><li>JavaScript tricks </li></ul><ul><ul><li>ING example </li></ul></ul><ul><ul><li>MITM </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><li>Stored images </li></ul><ul><ul><li>Bank of America example </li></ul></ul><ul><ul><li>MITM </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><li>CAPTCHAs </li></ul><ul><ul><li>MITM </li></ul></ul>
  23. 23. Activity #3 <ul><li>What security features really need to be prominent? </li></ul>

×