Gathering evidence: use of visual security cues in web browsers
GI '05 Proceedings of Graphics Interface 2005
Privacy oracle: a system for finding application leaks with black box differential testing
Proceedings of the 15th ACM conference on Computer and communications security
Quantifying Information Leaks in Outbound Web Traffic
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
A Comparative Study of Online Privacy Policies and Formats
PETS '09 Proceedings of the 9th International Symposium on Privacy Enhancing Technologies
The Wi-Fi privacy ticker: improving awareness & control of personal information exposure on Wi-Fi
Proceedings of the 12th ACM international conference on Ubiquitous computing
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
Proceedings of the 9th annual ACM workshop on Privacy in the electronic society
Privacy revelations for web and mobile apps
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Hi-index | 0.00 |
Users increasingly entrust websites with their personal and sensitive information. Sites commonly protect this information using user-supplied credentials (i.e., logins). We conducted a measurement study of top websites and surprisingly found that they transmit these credentials in the clear, thus leaving them vulnerable to eavesdropping. To make matters worse, users are often unaware of this threat because sites and browsers reflect little information about how logins are handled. As a first step towards solving this problem, we develop techniques for measuring logins on browsers to predict how logins would be handled before they are submitted. We demonstrate that achieving this goal requires instrumentation at the application layer and inside browsers. Specifically, network traces are not sufficient for determining login safety in general due to application-layer encryption; similarly, application-layer traces are insufficient because login submission logic may be generated in the browser at runtime. Based on a measurement study using login pages gathered from popular sites in addition to those visited by users through normal Web browsing, we found such predictions to be quite challenging due to a lack of any standard formats for Web logins. However, by applying a carefully chosen set of rules when measuring logins, we almost always correctly predict how logins will be handled.