Enhancing web browsing security on public terminals using mobile composition

  • Authors:
  • Richard Sharp;Anil Madhavapeddy;Roy Want;Trevor Pering

  • Affiliations:
  • Citrix Systems Inc, Cambridge, UK;Citrix Systems Inc, Cambridge, UK;Intel Corporation, Santa Clara, CA, USA;Intel Corporation, Santa Clara, CA, USA

  • Venue:
  • Proceedings of the 6th international conference on Mobile systems, applications, and services
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents an architecture that affords mobile users greater trust and security when browsing the internet (e.g., when making personal/financial transactions) from public terminals at Internet Cafes or other unfamiliar locations. This is achieved by enabling web applications to split their client-side pages across a pair of browsers: one untrusted browser running on a public PC and one trusted browser running on the user's personal mobile device, composed into a single logical interface through a local connection, wired or wireless. Information entered via the personal device's keypad cannot be read by the PC, thwarting PC-based key-loggers. Similarly, information displayed on the personal device's screen is also hidden from the PC, preserving the confidentiality and integrity of security-critical data even in the presence of screen grabbing attacks and compromised PC browsers. We present a security policy model for split-trust web applications that defends against a range of crimeware-based attacks, including those based on active-injection (e.g. inserting malicious packets into the network or spoofing user-input events). Performance results of a prototype split-trust implementation are presented, using a commercially available cell phone as a trusted personal device.