Using the mobile phone as a security token for unified authentication
ICSNC '07 Proceedings of the Second International Conference on Systems and Networks Communications
Perspectives: improving SSH-style host authentication with multi-path probing
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Man-in-the-Middle Attack to the HTTPS Protocol
IEEE Security and Privacy
Caveat eptor: A comparative study of secure device pairing methods
PERCOM '09 Proceedings of the 2009 IEEE International Conference on Pervasive Computing and Communications
TruWallet: trustworthy and migratable wallet-based web authentication
Proceedings of the 2009 ACM workshop on Scalable trusted computing
TruWalletM: secure web authentication on mobile platforms
INTRUST'10 Proceedings of the Second international conference on Trusted Systems
| Hi-index | 0.00 |
Web transactions are vulnerable for attacks where malicious software has infected a browser or where a root certifier has been compromised. As a countermeasure, we intercept HTTPS traffic in order to authorise certifiers as well as to inspect, verify and complement transactions securely. The interception and inspection is done in a trusted device, outside potentially compromised PC and browser. We propose a novel and flexible mechanism for controlling interception dynamically with directives embedded into HTML documents. We limit the authority of root certifiers over critical services with site-specific certification rules. We propose different models for realising the interceptor concept. The feasibility of the proposals is demonstrated by implementing and deploying interception into a USB gadget and a mobile phone.