A gesture-based authentication scheme for untrusted public terminals
Proceedings of the 17th annual ACM symposium on User interface software and technology
Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks
ACSW Frontiers '06 Proceedings of the 2006 Australasian workshops on Grid computing and e-research - Volume 54
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Hand-held computers can be better smart cards
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Transaction generators: root kits for web
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Sessionlock: securing web sessions against eavesdropping
Proceedings of the 17th international conference on World Wide Web
Enhancing web browsing security on public terminals using mobile composition
Proceedings of the 6th international conference on Mobile systems, applications, and services
Trustworthy and personalized computing on public kiosks
Proceedings of the 6th international conference on Mobile systems, applications, and services
Tagging the Turtle: Local Attestation for Kiosk Computing
ISA '09 Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Symmetric Cryptography in Javascript
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Using a personal device to strengthen password authentication from an untrusted computer
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Rootkits for JavaScript environments
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
How unique is your web browser?
PETS'10 Proceedings of the 10th international conference on Privacy enhancing technologies
Kamouflage: loss-resistant password management
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
An analysis of private browsing modes in modern browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Secure mobile computing via public terminals
PERVASIVE'06 Proceedings of the 4th international conference on Pervasive Computing
SessionSafe: implementing XSS immune session handling
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Proceedings of the 2013 ACM workshop on Digital identity management
Hi-index | 0.00 |
We use modern features of web browsers to develop a secure login system from an untrusted terminal. The system, called Session Juggler, requires no server-side changes and no special software on the terminal beyond a modern web browser. This important property makes adoption much easier than with previous proposals. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal. We show that Session Juggler works on all the Alexa top 100 sites except eight. Of those eight, five failures were due to the site enforcing IP session binding. We also show that Session Juggler works flawlessly with Facebook connect. Beyond login, Session Juggler also provides a secure logout mechanism where the trusted phone is used to kill the session. To validate the session juggling concept we conducted a number of web site surveys that are of independent interest. First, we survey how web sites bind a session token to a specific device and show that most use fairly basic techniques that are easily defeated. Second, we survey how web sites handle logout and show that many popular sites surprisingly do not properly handle logout requests.