Proceedings of the 11th USENIX Security Symposium
Analysis of the SSL 3.0 protocol
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
WWW electronic commerce and java trojan horses
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
What do they "indicate?": evaluating security and privacy indicators
interactions - A contradiction in terms?
A framework for reasoning about the human in the loop
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Reinforcing bad behaviour: the misuse of security indicators on popular websites
Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction
Effective protection against phishing and web spoofing
CMS'05 Proceedings of the 9th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Preventing web-spoofing with automatic detecting security indicator
ISPEC'06 Proceedings of the Second international conference on Information Security Practice and Experience
Proceedings of the 2012 ACM conference on Computer and communications security
Content-based control of HTTPs mail for implementation of IT-convergence security environment
Journal of Intelligent Manufacturing
Hi-index | 0.00 |
Today the standard means for secure transactions in the World Wide Web (WWW) are the SSL/TLS protocols, which provide secure (i.e., private and authentic) channels between browsers and servers. As protocols SSL/TLS are considered secure. However, SSL/TLS's protection ends at the “transport/session layer” and it is up to the application (here web browsers) to preserve the security offered by SSL/TLS. In this paper we provide evidence that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers. These attacks, known as “Visual Spoofing”, imitate certain parts of the browser's user interface, pretending that users communicate securely with the desired service, while actually communicating with the attacker. Therefore, most SSL/TLS protected web applications can not be considered secure, due to deficiencies in browser's user interfaces. Furthermore, we characterise Visual Spoofing attacks and discuss why they still affect today's WWW browsers. Finally, we introduce practical remedies, which effectively prevent these attacks and which can easily be included in current browsers or (personal) firewalls to preserve SSL/TLS's security in web applications.