Conveying Trust

1
Conveying Trust

• Serge Egelman

2
Portal to The Interweb

• Threats to privacy
• Phishing
• Information interception
• Fraudulent sites
• Web browser is central
• Email
• IM
• Detection must occur here

3
In The Beginning

• Man-in-the-middle
• Sniffing
• SSL solved these
• Browser SSL indicators
• Locks
• Keys
• Borders
• URL bar

4
SSL Indicators

• Microsoft IE
• Mozilla
• Firefox
• Safari

5
But What About Phishing?

• Toolbars
• User notification
• Audio
• Pop-ups
• Indicators
• Community ratings
• Heuristics

6
Phishing Toolbars

• Clear Search
• Scans email using heuristics

7
Phishing Toolbars

• Cloudmark
• Community ratings

8
Phishing Toolbars

• eBay Toolbar
• Community ratings

9
Phishing Toolbars

• SpoofGuard
• URL analysis
• Password analysis
• Image analysis

10
Phishing Toolbars

• Trustbar (Mozilla)
• Analyzes known sites
• Analyzes certificate information

11
Phishing Toolbars

• Trustwatch
• Site ratings

12
But Do They Work?

• No
• 25 Sites tested
• Cloudmark 10 (40) identified
• Netcraft 19 (76) identified
• Spoofguard 10 (40) identified
• Trustwatch 9 (36) identified

13
Activity 1

• Download a phishing toolbar
• http//www.cloudmark.com/desktop/download/
• http//pages.ebay.com/ebay_toolbar/
• http//crypto.stanford.edu/SpoofGuard/
• http//trustbar.mozdev.org/
• http//toolbar.trustwatch.com/
• http//toolbar.netcraft.com/
• Pros? Cons?
• Is it usable?
• How could it be circumvented?

14
Other Browser Plugins

• Previously mentioned toolbars
• Phishing
• Fraudulent sites
• Limited intelligence

15
Password Hashing

• Many users use same passwords
• One compromise leads to many
• Knowing real password doesnt help
• Hashing solves this
• Passwords hashed automatically with domain name
• User doesnt know the difference
• Mozilla extension

16
Dynamic Security Skins

• User remembers one image
• Trusted window
• User remembers one password
• Ease of use
• Sites get hashed password
• Matches two patterns to trust server
• Generated using a shared secret

17
Trusted Window
18
Verifying Sites
19
Using Tokens

• Two factor authentication
• Something you have
• Usually cryptographic
• SecureID
• Smart cards
• Random cryptographic tokens
• Scratch cards

20
Using Phones

• Client side certificates
• Private keys generated/stored on phone
• New key for each phone
• Keys linked to domain names
• Key generated upon new connection
• Bluetooth
• No server modifications

21
Current Browser Support

• Hardware drivers
• Crappy browser support
• Example
• Simple text box
• Make using the device unobtrusive
• Activity 2

22
False Sense of Security

• JavaScript tricks
• ING example
• MITM
• Spyware
• Stored images
• Bank of America example
• MITM
• Spyware
• CAPTCHAs
• MITM

23
Activity 3

• What security features really need to be
  prominent?