Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

fucking shit

2,156 views

Published on

big shit

Published in: Technology
  • Be the first to comment

fucking shit

  1. 1. Conveying Trust or Doing Crazy Shit with Web Browsers Serge Egelman
  2. 2. Portal to The Interweb <ul><li>Threats to privacy: </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Information interception </li></ul></ul><ul><ul><li>Fraudulent sites </li></ul></ul><ul><li>Web browser is central </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>IM </li></ul></ul><ul><li>Detection must occur here </li></ul>
  3. 3. In The Beginning… <ul><li>Man-in-the-middle </li></ul><ul><li>Sniffing </li></ul><ul><li>SSL solved these </li></ul><ul><li>Browser SSL indicators </li></ul><ul><ul><li>Locks </li></ul></ul><ul><ul><li>Keys </li></ul></ul><ul><ul><li>Borders </li></ul></ul><ul><ul><li>URL bar </li></ul></ul>
  4. 4. SSL Indicators <ul><li>Microsoft IE </li></ul><ul><li>Mozilla </li></ul><ul><li>Firefox </li></ul><ul><li>Safari </li></ul>
  5. 5. But What About Phishing? <ul><li>Toolbars </li></ul><ul><li>User notification </li></ul><ul><ul><li>Audio </li></ul></ul><ul><ul><li>Pop-ups </li></ul></ul><ul><ul><li>Indicators </li></ul></ul><ul><li>Community ratings </li></ul><ul><li>Heuristics </li></ul>
  6. 6. Phishing Toolbars <ul><li>Clear Search </li></ul><ul><ul><li>Scans email using heuristics </li></ul></ul>
  7. 7. Phishing Toolbars <ul><li>Cloudmark </li></ul><ul><ul><li>Community ratings </li></ul></ul>
  8. 8. Phishing Toolbars <ul><li>eBay Toolbar </li></ul><ul><ul><li>Community ratings </li></ul></ul>
  9. 9. Phishing Toolbars <ul><li>SpoofGuard </li></ul><ul><ul><li>URL analysis </li></ul></ul><ul><ul><li>Password analysis </li></ul></ul><ul><ul><li>Image analysis </li></ul></ul>
  10. 10. Phishing Toolbars <ul><li>Trustbar (Mozilla) </li></ul><ul><ul><li>Analyzes known sites </li></ul></ul><ul><ul><li>Analyzes certificate information </li></ul></ul>
  11. 11. Phishing Toolbars <ul><li>Trustwatch </li></ul><ul><ul><li>Site ratings </li></ul></ul>
  12. 12. But Do They Work? <ul><li>No </li></ul><ul><ul><li>25 Sites tested </li></ul></ul><ul><ul><li>Cloudmark: 10 (40%) identified </li></ul></ul><ul><ul><li>Netcraft: 19 (76%) identified </li></ul></ul><ul><ul><li>Spoofguard: 10 (40%) identified </li></ul></ul><ul><ul><li>Trustwatch: 9 (36%) identified </li></ul></ul>
  13. 13. Activity #1 <ul><li>Download a phishing toolbar: </li></ul><ul><ul><li>http://www.cloudmark.com/desktop/download/ </li></ul></ul><ul><ul><li>http://pages.ebay.com/ebay_toolbar/ </li></ul></ul><ul><ul><li>http://crypto.stanford.edu/SpoofGuard/ </li></ul></ul><ul><ul><li>http://trustbar.mozdev.org/ </li></ul></ul><ul><ul><li>http://toolbar.trustwatch.com/ </li></ul></ul><ul><ul><li>http://toolbar.netcraft.com/ </li></ul></ul><ul><li>Pros? Cons? </li></ul><ul><li>Is it usable? </li></ul><ul><li>How could it be circumvented? </li></ul>
  14. 14. Other Browser Plugins <ul><li>Previously mentioned toolbars </li></ul><ul><ul><li>Phishing </li></ul></ul><ul><ul><li>Fraudulent sites </li></ul></ul><ul><ul><li>Limited intelligence </li></ul></ul>
  15. 15. Password Hashing <ul><li>Many users use same passwords </li></ul><ul><ul><li>One compromise leads to many </li></ul></ul><ul><ul><li>Knowing real password doesn’t help </li></ul></ul><ul><li>Hashing solves this </li></ul><ul><ul><li>Passwords hashed automatically with domain name </li></ul></ul><ul><ul><li>User doesn’t know the difference </li></ul></ul><ul><li>Mozilla extension </li></ul>
  16. 16. Dynamic Security Skins <ul><li>User remembers one image </li></ul><ul><ul><li>Trusted window </li></ul></ul><ul><li>User remembers one password </li></ul><ul><ul><li>Ease of use </li></ul></ul><ul><ul><li>Sites get hashed password </li></ul></ul><ul><li>Matches two patterns to trust server </li></ul><ul><ul><li>Generated using a shared secret </li></ul></ul>
  17. 17. Trusted Window
  18. 18. Verifying Sites
  19. 19. Using Tokens <ul><li>Two factor authentication </li></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Usually cryptographic </li></ul></ul><ul><li>SecureID </li></ul><ul><li>Smart cards </li></ul><ul><li>Random cryptographic tokens </li></ul><ul><li>Scratch cards </li></ul>
  20. 20. Using Phones <ul><li>Client side certificates </li></ul><ul><ul><li>Private keys generated/stored on phone </li></ul></ul><ul><ul><li>New key for each phone </li></ul></ul><ul><li>Keys linked to domain names </li></ul><ul><li>Key generated upon new connection </li></ul><ul><li>Bluetooth </li></ul><ul><li>No server modifications </li></ul>
  21. 21. Current Browser Support <ul><li>Hardware drivers </li></ul><ul><ul><li>Crappy browser support </li></ul></ul><ul><ul><li>Example </li></ul></ul><ul><li>Simple text box </li></ul><ul><li>Make using the device unobtrusive </li></ul><ul><li>Activity #2 </li></ul>
  22. 22. False Sense of Security <ul><li>JavaScript tricks </li></ul><ul><ul><li>ING example </li></ul></ul><ul><ul><li>MITM </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><li>Stored images </li></ul><ul><ul><li>Bank of America example </li></ul></ul><ul><ul><li>MITM </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><li>CAPTCHAs </li></ul><ul><ul><li>MITM </li></ul></ul>
  23. 23. Activity #3 <ul><li>What security features really need to be prominent? </li></ul>

×