Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conveying Trust Serge Egelman.

Published byBenjamin Hampton Modified over 5 years ago

Similar presentations

Presentation on theme: "Conveying Trust Serge Egelman."— Presentation transcript:

1 Conveying Trust Serge Egelman

2 Portal to The Interweb Threats to privacy: Web browser is central
Phishing Information interception Fraudulent sites Web browser is central IM Detection must occur here

3 In The Beginning… Man-in-the-middle Sniffing SSL solved these
Browser SSL indicators Locks Keys Borders URL bar

4 SSL Indicators Microsoft IE Mozilla Firefox Safari

5 But What About Phishing?
Toolbars User notification Audio Pop-ups Indicators Community ratings Heuristics

6 Phishing Toolbars Clear Search Scans using heuristics

7 Phishing Toolbars Cloudmark Community ratings

8 Phishing Toolbars eBay Toolbar Community ratings

9 Phishing Toolbars SpoofGuard URL analysis Password analysis
Image analysis

10 Phishing Toolbars Trustbar (Mozilla) Analyzes known sites
Analyzes certificate information

11 Phishing Toolbars Trustwatch Site ratings

12 But Do They Work? No 25 Sites tested Cloudmark: 10 (40%) identified
Netcraft: 19 (76%) identified Spoofguard: 10 (40%) identified Trustwatch: 9 (36%) identified

13 Activity #1 Download a phishing toolbar: Pros? Cons? Is it usable?
Pros? Cons? Is it usable? How could it be circumvented?

14 Other Browser Plugins Previously mentioned toolbars Phishing
Fraudulent sites Limited intelligence

15 Password Hashing Many users use same passwords Hashing solves this
One compromise leads to many Knowing real password doesn’t help Hashing solves this Passwords hashed automatically with domain name User doesn’t know the difference Mozilla extension

16 Dynamic Security Skins
User remembers one image Trusted window User remembers one password Ease of use Sites get hashed password Matches two patterns to trust server Generated using a shared secret

17 Trusted Window

18 Verifying Sites

19 Using Tokens Two factor authentication SecureID Smart cards
Something you have Usually cryptographic SecureID Smart cards Random cryptographic tokens Scratch cards

20 Using Phones Client side certificates Keys linked to domain names
Private keys generated/stored on phone New key for each phone Keys linked to domain names Key generated upon new connection Bluetooth No server modifications

21 Current Browser Support
Hardware drivers Crappy browser support Example Simple text box Make using the device unobtrusive Activity #2

22 False Sense of Security
JavaScript tricks ING example MITM Spyware Stored images Bank of America example CAPTCHAs

23 Activity #3 What security features really need to be prominent?

Download ppt "Conveying Trust Serge Egelman."

Similar presentations

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.
Online Examination System CLASS MARKER University of Pune Helios Cloud Services.

Online Examination System CLASS MARKER University of Pune Helios Cloud Services.
Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.

Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.
FIRST COURSE Computer Concepts Internet and Email Microsoft Office Get to Know Your Computer.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.

Similar presentations

Ads by Google