• Save
fucking shit
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,205
On Slideshare
3,204
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 1

http://www.techgig.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Conveying Trust or Doing Crazy Shit with Web Browsers Serge Egelman
  • 2. Portal to The Interweb
    • Threats to privacy:
      • Phishing
      • Information interception
      • Fraudulent sites
    • Web browser is central
      • Email
      • IM
    • Detection must occur here
  • 3. In The Beginning…
    • Man-in-the-middle
    • Sniffing
    • SSL solved these
    • Browser SSL indicators
      • Locks
      • Keys
      • Borders
      • URL bar
  • 4. SSL Indicators
    • Microsoft IE
    • Mozilla
    • Firefox
    • Safari
  • 5. But What About Phishing?
    • Toolbars
    • User notification
      • Audio
      • Pop-ups
      • Indicators
    • Community ratings
    • Heuristics
  • 6. Phishing Toolbars
    • Clear Search
      • Scans email using heuristics
  • 7. Phishing Toolbars
    • Cloudmark
      • Community ratings
  • 8. Phishing Toolbars
    • eBay Toolbar
      • Community ratings
  • 9. Phishing Toolbars
    • SpoofGuard
      • URL analysis
      • Password analysis
      • Image analysis
  • 10. Phishing Toolbars
    • Trustbar (Mozilla)
      • Analyzes known sites
      • Analyzes certificate information
  • 11. Phishing Toolbars
    • Trustwatch
      • Site ratings
  • 12. But Do They Work?
    • No
      • 25 Sites tested
      • Cloudmark: 10 (40%) identified
      • Netcraft: 19 (76%) identified
      • Spoofguard: 10 (40%) identified
      • Trustwatch: 9 (36%) identified
  • 13. Activity #1
    • Download a phishing toolbar:
      • http://www.cloudmark.com/desktop/download/
      • http://pages.ebay.com/ebay_toolbar/
      • http://crypto.stanford.edu/SpoofGuard/
      • http://trustbar.mozdev.org/
      • http://toolbar.trustwatch.com/
      • http://toolbar.netcraft.com/
    • Pros? Cons?
    • Is it usable?
    • How could it be circumvented?
  • 14. Other Browser Plugins
    • Previously mentioned toolbars
      • Phishing
      • Fraudulent sites
      • Limited intelligence
  • 15. Password Hashing
    • Many users use same passwords
      • One compromise leads to many
      • Knowing real password doesn’t help
    • Hashing solves this
      • Passwords hashed automatically with domain name
      • User doesn’t know the difference
    • Mozilla extension
  • 16. Dynamic Security Skins
    • User remembers one image
      • Trusted window
    • User remembers one password
      • Ease of use
      • Sites get hashed password
    • Matches two patterns to trust server
      • Generated using a shared secret
  • 17. Trusted Window
  • 18. Verifying Sites
  • 19. Using Tokens
    • Two factor authentication
      • Something you have
      • Usually cryptographic
    • SecureID
    • Smart cards
    • Random cryptographic tokens
    • Scratch cards
  • 20. Using Phones
    • Client side certificates
      • Private keys generated/stored on phone
      • New key for each phone
    • Keys linked to domain names
    • Key generated upon new connection
    • Bluetooth
    • No server modifications
  • 21. Current Browser Support
    • Hardware drivers
      • Crappy browser support
      • Example
    • Simple text box
    • Make using the device unobtrusive
    • Activity #2
  • 22. False Sense of Security
    • JavaScript tricks
      • ING example
      • MITM
      • Spyware
    • Stored images
      • Bank of America example
      • MITM
      • Spyware
    • CAPTCHAs
      • MITM
  • 23. Activity #3
    • What security features really need to be prominent?