Protecting secret keys with personal entropy
Future Generation Computer Systems - Special issue on security on the Web
Communications of the ACM - Ontology: different ways of representing the same concept
Users' conceptions of risks and harms on the web: a comparative study
CHI '02 Extended Abstracts on Human Factors in Computing Systems
Users' conceptions of web security: a comparative study
CHI '02 Extended Abstracts on Human Factors in Computing Systems
Proceedings of the 11th USENIX Security Symposium
How to Make Personalized Web Browising Simple, Secure, and Anonymous
FC '97 Proceedings of the First International Conference on Financial Cryptography
Secure Applications of Low-Entropy Keys
ISW '97 Proceedings of the First International Workshop on Information Security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Design principles and patterns for computer systems that are simultaneously secure and usable
Design principles and patterns for computer systems that are simultaneously secure and usable
Perils of transitive trust in the domain name system
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A usability study and critique of two password managers
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
SSH: secure login connections over the internet
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
Proximity breeds danger: emerging threats in metro-area wireless networks
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
WSKE: web server key enabled cookies
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
A user study design for comparing the security of registration protocols
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
OMash: enabling secure web mashups via object abstractions
Proceedings of the 15th ACM conference on Computer and communications security
Anti-phishing based on automated individual white-list
Proceedings of the 4th ACM workshop on Digital identity management
Stronger TLS bindings for SAML assertions and SAML artifacts
Proceedings of the 2008 ACM workshop on Secure web services
Protecting browsers from DNS rebinding attacks
ACM Transactions on the Web (TWEB)
A Browser-Based Kerberos Authentication Scheme
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
A Universally Composable Framework for the Analysis of Browser-Based Security Protocols
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
User-aware provably secure protocols for browser-based mutual authentication
International Journal of Applied Cryptography
Risks of the CardSpace Protocol
ISC '09 Proceedings of the 12th International Conference on Information Security
Browser-Based Intrusion Prevention System
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
SSLock: sustaining the trust on entities brought by SSL
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Residue objects: a challenge to web browser security
Proceedings of the 5th European conference on Computer systems
Designing and Implementing the OP and OP2 Web Browsers
ACM Transactions on the Web (TWEB)
Using one-time passwords to prevent password phishing attacks
Journal of Network and Computer Applications
Contego: capability-based access control for web browsers
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
Re-designing the web's access control system
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
The power of recognition: secure single sign-on using TLS channel bindings
Proceedings of the 7th ACM workshop on Digital identity management
Crouching tiger - hidden payload: security risks of scalable vectors graphics
Proceedings of the 18th ACM conference on Computer and communications security
SCUTA: a server-side access control system for web applications
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Using automated individual white-list to protect web digital identities
Expert Systems with Applications: An International Journal
Contextual OTP: mitigating emerging man-in-the-middle attacks with wireless hardware tokens
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
On the fragility and limitations of current browser-provided clickjacking protection schemes
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Content-based isolation: rethinking isolation policy design on client systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Eradicating DNS rebinding with the extended same-origin policy
SEC'13 Proceedings of the 22nd USENIX conference on Security
ECC-based anti-phishing protocol for cloud computing services
International Journal of Security and Networks
| Hi-index | 0.00 |
We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.