Article

Measuring SSL indicators on mobile browsers: extended life, or end of the road?

Authors:

Chaitrali Amrutkar,

Patrick Traynor,

Paul C. van OorschotAuthors Info & Claims

ISC'12: Proceedings of the 15th international conference on Information Security

Pages 86 - 103

https://doi.org/10.1007/978-3-642-33383-5_6

Published: 19 September 2012 Publication History

Abstract

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.

References

[1]

GoDaddy SSL certificate, http://www.godaddy.com/Compare/ gdcompare ssl.aspx?isc=sslqgo016b

[2]

VeriSign certificate, https://www.verisign.com/ssl/ buy-ssl-certificates/index.html?sl=t72010166130000002 &gclid=CIKMyY2GuKgCFYg32godV2 8Bw

[3]

Key words for use in RFCs to Indicate Requirement Levels (March 1997), http://www.ietf.org/rfc/rfc2119.txt

[4]

Overflow clickjacking (November 2008), http://research.zscaler.com/ 2008/11/clickjacking-iphone-style.html

[5]

Guidelines for the Processing of EV Certificates, version 1.0 (January 2009), http://www.cabforum.org/Guidelines for the processing of EV certificatesv1 0.pdf

[6]

SSLstrip, presented at Black Hat DC (2009), http://www.thoughtcrime.org/software/sslstrip/

[7]

Android Browser Exploit (2010), http://threatpost.com/en us/blogs/ researcher-publishes-android-browser-exploit-110810

[8]

Guidelines for the Issuance and Management of Extended Validation Certificates, version 1.3 (November 20, 2010), http://www.cabforum.org/Guidelines_v1_3.pdf

[9]

W3C: Web Security Context: User Interface Guidelines (August 2010), http://www.w3.org/TR/wsc-ui/

[10]

Web-based Android attack (November 2010), http://www.infoworld.com/ d/security-central/security-researcher-releases-webbased-android-attack-317?source=rss security central/

[11]

Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, version 1.0 (April 11, 2011), http://www.cabforum.org/ Announcement-Baseline Requirements.pdf

[12]

Comodo compromise (April 1, 2011), http://www.csoonline.com/ article/678777/comodo-compromise-expands-hacker-talks

[13]

DigiNotar CA compromise (August 30, 2011), http://community.websense.com/blogs/securitylabs/archive/ 2011/08/30/diginotar-ca-compromise.aspx

[14]

The CA/Browser forum (April 11, 2011), http://www.cabforum.org/

[15]

Android OS market share by version (May 2012), http://developer.android.com/ resources/dashboard/platform-versions.html

[16]

Mobile Browser Market Share (May 2012), http://gs.statcounter.com/ #mobile browser-ww-monthly-201204-201205

[17]

Biddle, R., van Oorschot, P., Patrick, A., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: Proceedings of the ACMWorkshop on Cloud Computing Security (2009)

Digital Library

[18]

Boodaei, M.: Mobile users three times more vulnerable to phishing attacks (2011), http://www.trusteer.com/blog/ mobile-users-three-times-more-vulnerable-phishing-attacks

[19]

Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.: Client-side defense against web-based identity theft. In: Proc. NDSS (2004)

[20]

Davies, C.: iPhone Os Safari Vulnerable To DoS Attacks (April 16, 2008), http://www.iphonebuzz.com/ iphone-safari-dos-bug-discovered-162212.php

[21]

Dhamija, R., Tygar, J. D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006)

Digital Library

[22]

Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of the Symposium on Usable Privacy and Security (2005)

Digital Library

[23]

Downs, J., Holbrook, M., Cranor, L.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security (2006)

Digital Library

[24]

Felten, E. W., Balfanz, D., Dean, D., Wallach, D. S.: Intrusion Detection Prevention Web Spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (1997)

[25]

Friedman, B., Hurley, D., Howe, D., Felten, E., Nissenbaum, H.: Users' conceptions of web security: a comparative study. In: CHI Extended Abstracts on Human Factors in Computing Systems (2002)

Digital Library

[26]

Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Transactions on Internet Technology (2008)

Digital Library

[27]

Jackson, C., Simon, D. R., Tan, D. S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281-293. Springer, Heidelberg (2007)

Digital Library

[28]

Livshits, B., Molnar, D.: Empowering Browser Security for Mobile Devices Using Smart CDNs. In: Proceedings of the Workshop on Web 2.0 Security and Privacy, W2SP (2010)

[29]

Marlinspike, M.: More Tricks For Defeating SSL in Practice (2009), http://www.blackhat.com/presentations/bh-usa-09/ MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf

[30]

Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: Usability, Psychology, and Security (2008)

Digital Library

[31]

Porter Felt, A., Wagner, D.: Phishing on mobile devices. In: Web 2.0 Security and Privay (2011)

[32]

Resig, J.: iPhone overflow clickjacking (November 2008), http://ejohn.org/blog/clickjacking-iphone-attack/

[33]

Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The Emperor's New Security Indicators. In: IEEE Symposium on Security and Privacy (2007)

Digital Library

[34]

Sobey, J., Biddle, R., van Oorschot, P.C., Patrick, A. S.: Exploring User Reactions to New Browser Cues for Extended Validation Certificates. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 411-427. Springer, Heidelberg (2008)

Digital Library

[35]

Stebila, D.: Reinforcing bad behaviour: the misuse of security indicators on popular websites. In: Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction (2010)

Digital Library

[36]

Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L. F.: 18th USENIX Security Symposium Crying Wolf: An Empirical Study of SSLWarning Effectiveness. Work (2009)

Digital Library

[37]

Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J. P.: The inconvenient truth about web certificates. In: The Workshop on Economics of Information Security, WEIS (2011)

[38]

Whalen, T., Inkpen, K.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface (2005)

Digital Library

[39]

Ye, Z. E., Smith, S., Anthony, D.: Trusted paths for browsers. ACM Transactions on Information and System Security (TISSEC) (May 2005)

Digital Library

Cited By

Zhang ZBilge LDumitras T(2021)On the Usability (In)Security of In-App Browsing Interfaces in Mobile AppsProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471625(386-398)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471625
Müller JBrinkmann MPoddebniak DBöck HSchinzel SSomorovsky JSchwenk JHeninger NTraynor P(2019)"Johnny, you are fired!" - spoofing openPGP and S/MIME signatures in emailsProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361409(1011-1028)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361409
Luo MStarov OHonarmand NNikiforakis NThuraisingham BEvans DMalkin TXu D(2017)HindsightProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133987(149-162)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133987
Show More Cited By

Index Terms

Measuring SSL indicators on mobile browsers: extended life, or end of the road?
1. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

An Empirical Evaluation of Security Indicators in Mobile Web Browsers
Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic ...
War of the Mobile Browsers

Wireless applications for mobile Web browsers can enrich user experience beyond the desktop environment. Server-transcoding and client rendering enable the wireless Web, while open platforms give applications developers extensions to expand mobile ...
Understanding Quality of Experiences on Different Mobile Browsers
Internetware '19: Proceedings of the 11th Asia-Pacific Symposium on Internetware

The web browser is one of the major channels to access the Internet on mobile devices. Based on the smartphone usage logs from millions of real-world Android users, it is interesting to find that about 38% users have more than one browser on their ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ISC'12: Proceedings of the 15th international conference on Information Security

September 2012

400 pages

ISBN:9783642333828

Editors:
Dieter Gollmann
Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, Hamburg, Germany
,
Felix C. Freiling
Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, Erlangen, Germany

Sponsors

University of Passau

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 19 September 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang ZBilge LDumitras T(2021)On the Usability (In)Security of In-App Browsing Interfaces in Mobile AppsProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471625(386-398)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471625
Müller JBrinkmann MPoddebniak DBöck HSchinzel SSomorovsky JSchwenk JHeninger NTraynor P(2019)"Johnny, you are fired!" - spoofing openPGP and S/MIME signatures in emailsProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361409(1011-1028)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361409
Luo MStarov OHonarmand NNikiforakis NThuraisingham BEvans DMalkin TXu D(2017)HindsightProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133987(149-162)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133987
Felt AReeder RAinslie AHarris HWalker MThompson CAcer MMorant EConsolvo S(2016)Rethinking connection security indicatorsProceedings of the Twelfth USENIX Conference on Usable Privacy and Security10.5555/3235895.3235897(1-13)Online publication date: 22-Jun-2016
https://dl.acm.org/doi/10.5555/3235895.3235897
Kiljan SSimoens KCock DEekelen MVranken H(2016)A Survey of Authentication and Communications Security in Online BankingACM Computing Surveys10.1145/300217049:4(1-35)Online publication date: 5-Dec-2016
https://dl.acm.org/doi/10.1145/3002170
Onwuzurike LDe Cristofaro E(2015)Danger is my middle nameProceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks10.1145/2766498.2766522(1-6)Online publication date: 22-Jun-2015
https://dl.acm.org/doi/10.1145/2766498.2766522
Vallina-Rodriguez NAmann JKreibich CWeaver NPaxson VSeneviratne ADiot CKurose JChaintreau ARizzo L(2014)A Tangled MassProceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies10.1145/2674005.2675015(141-148)Online publication date: 2-Dec-2014
https://dl.acm.org/doi/10.1145/2674005.2675015
Chen PNikiforakis NHuygens CDesmet L(2013)A Dangerous MixProceedings of the 16th International Conference on Information Security - Volume 780710.1007/978-3-319-27659-5_25(354-363)Online publication date: 13-Nov-2013
https://dl.acm.org/doi/10.1007/978-3-319-27659-5_25
Amrutkar CTraynor PYu TEnck WJiang X(2012)Short paperProceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices10.1145/2381934.2381939(15-20)Online publication date: 19-Oct-2012
https://dl.acm.org/doi/10.1145/2381934.2381939

View Options

View options

Media

Figures

Other

Tables

View Table of Contents