Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing
E. Ye, S.W. Smith

The security of the vast majority of "secure" Web services rests on SSL
server PKI. However, this PKI doesn't work if the adversary can trick
the browser into appearing to tell the user the wrong thing about the
certificates and cryptography. The seminal web spoofing work of Felten
et al demonstrated the potential, in 1996, for malicious servers to
impersonate honest servers. Our recent follow-up work explicitly shows
how malicious servers can still do this -- and can also forge the
existence of an SSL session and the contents of the alleged server
certificate.

This paper reports the results of our work to systematically defend against
Web spoofing, by creating a trusted path from the browser to the user.
Starting with the Mozilla source, we have implemented techniques that
protect a wide variety browser-user communications, that require little
participation by the user and minimal disruption of the displayed server
content. We have prepared shell scripts that install these modifications on
the Mozilla source, to enable others to replicate this work.

In on-going work, we are cleaning up and fine-tuning our code. In future
work, we hope to examine more deeply the role of user interfaces in
enabling users to make effective trust judgements.

http://www.cs.dartmouth.edu/~pkilab/papers/tr418.pdf

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]