An Empirical Evaluation of Security Indicators in Mobile Web Browsers

Slide Note
Embed
Share

Security indicators play a crucial role in determining the security of web pages on mobile browsers. This study evaluates the effectiveness of security indicators in identifying potential threats such as phishing and man-in-the-middle attacks. The research examines W3C guidelines, mobile browser compliance, identity signals, and certificate trustworthiness. Findings highlight the importance of clear security indicators for user protection in mobile web browsing.


Uploaded on Oct 04, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. An Empirical Evaluation of Security Indicators in Mobile Web Browsers ChaitraliAmrutkar, Patrick Traynowand Paul C. van Oorschot Presentation By :-ADARSH PILLAY

  2. OVERVIEW Security Indicators are those elements which give an indication of whether something is secure or not web page is, in context of web browsing. Security sensitive operations are not only restricted to desktop rather now mobile browsers are also increasingly being relied upon. W3C has set forth some guidelines to convey security for web user interface. Experiments are performed on popular browsers both on mobile and desktop and comparison is being made.

  3. CONTENT

  4. INTRODUCTION Users are increasingly getting reliable on mobile devices for sensitive personal, social & financial exchanges. But the users are getting attacked even after browsers have strong cryptographic tools and the reason for this is not immediately clear. Goal is to check whether applied security indicators allows expert users to accurately determine the identity of website. The attacks are of different types like phishing, man-in-the-middle. Also, EV-SSL indicators are missing in the mobile browsers.

  5. W3C TERMINOLOGIES

  6. W3C GUIDELINES

  7. Implementation Set Up The Cross Marks in the tables in coming slides represent that browser doesn t comply with the W3C Guidelines. The Bullets in the tables in coming slides represent that browser doesn t comply with the W3C Guidelines.

  8. IDENTITY SIGNAL Identity Signal contains information about The Owner of the Website The Corresponding Issuer of Certificate MUST be available to user through either of the interface at all the times

  9. CERTIFICATES Certificates MUST provide Reasons of Trust If certificate was accepted interactively or not Same Website s Domain Name If certificate was self-signed or not Reason of Trust If self-signed then whether presented to user or not

  10. TLS INDICATORS Content and Indicator Proximity Significance of Presence Availability The TLS Indicators must be available to the user through either of the interface at all times. Content MUST NOT be displayed in a manner that confuses hosted content. Any UI indicator MUST NOT signal the presence of a certificate unless all parts of the webpage are loaded. If a browser allows a favicon to be placed next to the padlock, an attacker can feign a secure website by mimicking the favicon as a security indicator. Check whether cipher details are available or not and also, if lock icon shown or not. If browser displays a TLS indicator for the presence of a certificate for a webpage consisting of mixed content, this guideline is not followed.

  11. Observations of TLS Indicators on Mobile & Tablet Browsers & Desktop Browsers

  12. ROBUSTNESS Web content MUST NOT obscure the security user interface. The TLS indicators found on the user interface are lock icon, https URL prefix, URL coloring and site identity button. The visibility of these indicators is dependent on the mode of screen whether it is landscape or portrait.

  13. ERROR MESSAGES Both warning/caution and danger messages MUST interrupt the user s current task, such that the user has to acknowledge the message. Warning/caution messages MUST provide the user with distinct options for how to proceed (i.e., these messages MUST NOT lead to a situation in which the only option presented to the user is to dismiss the warning and continue). The interactions for danger messages MUST be presented in a way that makes it impossible for the user to go to or interact with the destination website that caused the danger situation to occur, without first explicitly interacting with the danger message. Proceeding Options Inhibit Operation Interruption

  14. Observations of Error Messages on Mobile & Tablet Browsers & Desktop Browsers Cross with star represents that browser fails to warn user according to our view. NA implies that the particular experiment is not applicable to that browser.

  15. ADDITIONAL RESULTS : POSITIVE The NULL Cipher is one of the most dangerous ciphers as it represents lack of an encrypted communication channel. Authors found that SSL version 2 MUST NOT hold strong and after the experiment authors found that None of the browsers in either mobile or tablet support it. None of the browsers either in mobile or tablet support the null cipher.

  16. ADDITIONAL RESULTS : NEGATIVE Browser supporting weak cipher can enable a network attacker to break the encrypted messages . Authors perform check on DES-CBC-SHA weak cipher. 6 mobile & tablet browsers support weak cipher. Others display error messages conveying absence of encryption protocol with server. Observations

  17. ADDITIONAL RESULTS : NEUTRAL The inconsistency across browsers from same vendor adds to an already confusing task of whether it is an EV-SSL or SSL certified website. SSL Certificates can be just domain validated only i.e. users can t be aware whether website owner is validated or not. In a browser with no differentiation between SSL and EV-SSL certificates, they both are same from user s perspective. Only sole difference from user s perspective is that of the indicators shown in the browser. No difference between EV-SSL and SSL Certificates provided by W3C Documents. SSL certificates cheaper for validation compared to EV- SSL.

  18. USER DECEPTION AND POSSIBLE ATTACKS If W3C Guidelines are not followed then users can be easily misled about the identity of the website or the security of the connection. Four types of attacks are discussed which are possible due to violation of one or more W3C Guidelines. Phishing without SSL Phishing with SSL Phishing using compromised CA Industrial Espionage

  19. Attacker masquerades as a trustworthy entity in the attack as closely imitates the legitimate website s identity along with lock icon spoofing, launching attack without SSL on browser. PHISHING WITHOUT SSL Domain name quite similar to legitimate website which provides an impression of correct identity of website. A Cross implies that an attack is possible. Makes the favicon a lock image which provides an illusion for strong encryption. A Bullet implies that the corresponding attack is not possible. When rendered in a browser where URL viewing is difficult or doesn t offer a UI to view identity information of website, then even advance user might get subjected to phishing.

  20. Spoofing only lock icon is not adequate for a successful phishing attack. PHISHING WITH SSL An attacker can buy an inexpensive SSL Certificate for website to increase credibility of attack. It helps as in by providing https URL prefix and URL Coloring option in addition to lock icon. Thus, if user blindly trusts these indicators then it will be subjected to phishing attack.

  21. PHISHING USING COMPROMISED CA Attacker obtains rogue certificates for legitimate websites by compromising CA. If a browser trusts a CA then it doesn t checks if CA is compromised or not. An expert user can verify certificate issuer s organization in the chain, thus not interacting with malicious website having a rogue certificate. But if browser doesn t allow user interface to have certificate viewing, then even an expert user can be subjected to phishing attack.

  22. INDUSTRIAL ESPIONAGE/EAVESDROPPING Attacker sits on the local network and intercepts traffic. As attacker finds a request for an encrypted https site, it duplicates it with an unencrypted http site. This switching strips away the security, also, deceiving the server that an encrypted page has been sent to client. SSLstrip Attack An attacker can tamper the initial messages sent by the client to server for setting up connection. The attacker can modify the ciphers that client and server exchange to weak ciphers and then forward it to server. On receiving weak ciphers, server can either establish a connection or drop it. If connection is established then, all data is transmitted through weak cipher encryption scheme & thus attacker can stream the data and break it offline. Also an expert user can get subjected to this attack. Cipher Downgrade Attack Attacker can tamper the unencrypted content on the webpage consisting of mixed content by replacing it with malicious content of his choice. Even expert users are unable to detect this if browser displays the SSL Indicators for a webpage containing mixed content. Mixed Content

  23. RELATED WORK Traditional Browser Indicators Techniques for better indicators They contain a range of indicators like https prefix, lock icon etc., but generally these go unnoticed or are absent in websites. Mobile Browser Indicators Better Warnings More effective interface dialogues Many users don t understand the concept of lock icon and certificates. Increasing user base of mobile web browsers and mobile e-commerce has now brought focus for attackers. Trusted path from browser to user Disabling JS in user browser & forcing persistent view of browser s location Also there are lot of domain name mismatches between certificates and websites. Also, having a different user interface than desktop browser makes it more important to focus on security indicators usage in mobile browsers. Dynamic Security Skins Finally, efforts to standardize security indicators & thus minimize confusion across browsers.

  24. CONCLUDING REMARKS Modern mobile browsers depict a range of sensitive operations related to security features of web browsers. But compared to desktop, they lack behind due to scree size issue. Tremendous inconsistency was seen in security indicators on mobile browsers. Also, adding of EV-SSL certificates make the mobile ecosystem more complex without producing much benefits. Such significant changes make it difficult for expert users too, for detecting security issues, raising high concern for average users as how they will deal with it.

  25. THANK YOU

More Related Content