A rambling talk about how the same things that comprise of effective design are misused to create effective phishing pages. Additionally the browser UI and security controls focus on things that most people completely ignore.
The idea of the presentation was to plant a seed of an idea that designers might be able to shape and take the lead in designing secure solutions meant for ordinary non-technical users if they start thinking about security as part of their deliverable.
This can even be done by ensuring that security team and designers collaborate on more projects together.
The presentation makes a lot more sense with the accompanying video
Talk about KSRTC person using the computer to go to googleTyped google in the address barClicked on Google.co.in when the results were displayed.Typed KSRTC in the google.co.in search boxClicked on KSRTC link, which was the 1st search result.
Two examples where this trust collides with effective design and makes the UI/UX bad for the user1. Password Reset/Change feature2. An SSL enabled website
How password reset should work firstname.lastname@example.org Enter email to reset password YourSuperSecretPassword
What went down behind the scenes• Code loaded in the browser sent that email to server.
What went down behind the scenes• Server did bunch of things like check if email was in database, generated password etc.
The difficult part & UI nightmare How does the server know that it is you who filled theemail and you are the owner of this email address?
So how is it supposed to work?• Using out of band communication.• Code loaded in the browser sent that email to server.
And…..?• Web server will email you a unique link. Hoping that the email address is in your hands• You click on the link and go back to the server.• Server confirms the link is proper it allows you to reset the password
Just FYI, that the email address you sent to theserver and the password you got back were in CLEARTEXT
People/stuff between you & the server• Wireless Network• Helpful IT admin monitoring for “bad traffic”• ISP gateway with helpful IT admin “monitoring”• Country level gateway with helpful govt. IT admin “monitoring” – Think Tunisia, Egypt, Iran• Helpful Server admin “monitoring”• And who knows what else is out there.
Just to recap!• Effective Design/UI/UX inspires trust.• People trust based on strong visual cues• These cues can be faked.• So ideally trust no one• If we use common sense approach to generating a new password we will need to trust multiple intermediaries.
So how do we create secure websites?Finally a problem worthy of philosoraptor
I don’t have any answers for you• I am not a designer. I understand security in systems.• I understand that people want to use systems to do things, not get stopped due to security or insecurity.• The idea was to get your attention and see if these problems can be solved using design.
@makash Akash MahajanThat Web Application Security Guy