Article

Hardening Web browsers against man-in-the-middle and eavesdropping attacks

Authors:

José Carlos BrustoloniAuthors Info & Claims

WWW '05: Proceedings of the 14th international conference on World Wide Web

Pages 489 - 498

https://doi.org/10.1145/1060745.1060817

Published: 10 May 2005 Publication History

Abstract

Existing Web browsers handle security errors in a manner that often confuses users. In particular, when a user visits a secure site whose certificate the browser cannot verify, the browser typically allows the user to view and install the certificate and connect to the site despite the verification failure. However, few users understand the risk of man-in-the-middle attacks and the principles behind certificate-based authentication. We propose context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs. Considering the context, the browser then guides the user in handling and possibly overcoming the security error. We also propose specific password warnings (SPW) when users are about to send passwords in a form vulnerable to eavesdropping. We performed user studies to evaluate CSCV and SPW. Our results suggest that CSCV and SPW can greatly improve Web browsing security and are easy to use even without training. Moreover, CSCV had greater impact than did staged security training.

References

[1]

Ackerman, M. and Cranor, L.: Privacy Critics: UI Components to Safeguard Users' Privacy. In Proc. Conf. Human Factors in Computing Systems (CHI'99), Extended Abstracts, ACM, 1999, pp. 258-259. {Online} http://lorrie.cranor.org/pubs/privacy-critics.pdf]]

Digital Library

[2]

Adams, A. and Sasse, M.: Users are not the Enemy. In Communications of the ACM, 42(12):41--46, Dec. 1999.]]

Digital Library

[3]

Anderson, R.: Why Cryptosystems Fail. In Proc. 1st Conf. Computer and Communications Security (CCS'93), ACM, 1993, pp. 215--227. {Online} http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/wcf.pdf]]

Digital Library

[4]

Boneh, D. and Franklin, M.: Identity Based Encryption from the Weil Pairing, in J. of Computing, SIAM, 32(3):586--615, 2003. {Online} http://crypto.stanford.edu/~dabo/papers/ibe.pdf]]

Digital Library

[5]

Carroll, J. and Carrithers, C.: Training Wheels in a User Interface. In Communications of the ACM, 27(8):800--806, 1984.]]

Digital Library

[6]

Collins, J., Greer, J., Kumar, V., McCalla, G., Meagher, P. and Tkatch, R.: Inspectable User Models for Just-In-Time Workplace Training. In Proc. 6th International Conference on User Modeling (UM97). {Online} http://www.cs.uni-sb.de/UM97/ps/CollinsJA.ps]]

[7]

Dierks, T. and Allen, C.: The TLS Protocol Version 1.0. RFC 2246, IETF, Jan. 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2246.txt]]

Digital Library

[8]

ethereal. {Online} http://www.ethereal.com/]]

[9]

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and Berners-Lee, T.: Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616, IETF, June 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt]]

Digital Library

[10]

Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, IETF, June 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2617.txt]]

Digital Library

[11]

Freier, A., Karlton, P., and Kocher, P.: The SSL Protocol Version 3.0. {Online} http://wp.netscape.com/eng/ssl3/draft302.txt]]

[12]

Guzdial, M.: Software-Realized Scaffolding to Facilitate Programming for Science Learning. In Interactive Learning Environments, 4(1):1--44. {Online} http://guzdial.cc.gatech.edu/Emile-ILE.pdf]]

[13]

Hommel, G.: A Comparison of Two Modified Bonferroni Procedures. In Biometrika, 76:624-625, 1989.]]

[14]

Housley, R., Ford, W., Polk, W. and Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459, IETF, Jan. 1999. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2459.txt.pdf]]

Digital Library

[15]

Lonvick, C.: SSH Protocol Architecture. Internet Draft, IETF, Oct. 2004. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-secsh-architecture-17.txt]]

[16]

Millett, L., Friedman, B. and Felten, E.: Cookies and Web Browser Design: Toward Realizing Informed Consent Online. In Proc. Conference on Human Factors in Computing Systems (CHI'2001), ACM, Mar. 2001. {Online} ftp://ftp.cs.washington.edu/tr/2000/12/UW-CSE-00-12-03.pdf]]

Digital Library

[17]

National Institute of Standards and Technology. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. Nov. 2001. {Online} http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf]]

[18]

National Institute of Standards and Technology. Specifications for Secure Hash Standard. Federal Information Processing Standards Publication 180-1. Apr. 1995. {Online} http://www.itl.nist.gov/fipspubs/fip180-1.htm]]

[19]

Open1x. {Online} http://www.open1x.org/]]

[20]

Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G. and Josefsson, S.: Protected EAP Protocol (PEAP) Version 2. Internet Draft, IETF, Oct. 2004. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-josefsson-pppext-eap-tls-eap-10.txt]]

[21]

Perrin, T.: Public Key Distribution Through "CryptoIDs". In Proc. Workshop on New Security Paradigms. ACM, 2003, pp. 87--102. {Online} http://trevp.net/cryptoID/cryptoID.pdf]]

Digital Library

[22]

Rivest, R., Shamir, A., and Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. In Communications of the ACM 21,2 (Feb. 1978), 120--126.]]

Digital Library

[23]

Sandhu, R.: Good-Enough Security: Toward a Pragmatic Business-Driven Discipline. In Internet Computing, IEEE, vol. 7, no. 1, Jan. 2003. {Online} http://www.list.gmu.edu/journals/ic/03-sandhu-good.pdf]]

Digital Library

[24]

Sankoh, A., Huque, M. and Dubey, S.: Some Comments on Frequently Used Multiple Endpoint Adjustment Methods in Clinical Trials. In Statistics in Medicine, 16:2529--2542, 1997.]]

[25]

Shmoo. airsnarf. {Online} http://airsnarf.shmoo.com/]]

[26]

Smetters, D.K. and Grinter, R.E.: Moving from the Design of Usable Security Technologies to the Design of Useful Secure Applications. In Proc. Workshop on New Security Paradigms, ACM, 2002.]]

Digital Library

[27]

Smith, S.: Humans in the Loop: Human-Computer Interaction and Security. In Security and Privacy, IEEE, May/June 2003, 75--79. {Online} http://www.cs.dartmouth.edu/~sws/papers/humans.pdf]]

Digital Library

[28]

Song, D. dsniff. {Online} http://naughty.monkey.org/~dugsong/dsniff/]]

[29]

Whitten, A. and Tygar, J.D.: Why Johnny Can't Encrypt: A Case Study. In Proceedings of Usenix Security Symposium, Aug. 1999. {Online} http://www.usenix.org/publications/library/proceedings/sec99/full_papers/whitten/whitten.ps]]

Digital Library

[30]

Whitten, A. and Tygar, J.D.: Safe Staging for Computer Security. In Proceedings of the Workshop on Human-Computer Interaction and Security Systems, CHI'2003, April 2003. {Online} http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-whitten.pdf]]

[31]

Whitten, A.: Making Security Usable. Tech Report CMU-CS-04-135 (Ph.D. dissertation), School of Computer Science, Carnegie Mellon University, May 2004.]]

[32]

Wi-Fi Alliance. Wi-Fi Protected Access 2. {Online} http://www.weca.net/OpenSection/protected_access.asp?]]

[33]

Yan, J., Blackwell, A., Anderson, R., and Grant, A.: The Memorability and Security of Passwords -- Some Empirical Results. Tech. Report UCAM-CL-TR-500, University of Cambridge Computer Laboratory, Sept. 2000. {Online} http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf]]

[34]

Rescorla, E.: HTTP over TLS. RFC 2818, IETF, May 2000. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2818.txt]]

Digital Library

[35]

tcpdump. {Online} http://www.tcpdump.org/]]

[36]

Xia, H. and Brustoloni, J.: Detecting and Blocking Unauthorized Access in Wi-Fi Networks. In Proc. Networking'2004, IFIP, Lecture Notes in Computer Science, 3042:795-806, Springer-Verlag, May 2004. {Online} http://www.cs.pitt.edu/~jcb/papers/net2004.pdf]]

[37]

Xia, H. and Brustoloni, J.: Virtual Prepaid Tokens for Wi-Fi Hotspot Access. In Proc. 29th Intl. Conf. Local Computer Networks (LCN), IEEE, Nov. 2004, pp. 232--239. {Online} http://www.cs.pitt.edu/~jcb/papers/lcn2004.pdf]]

Digital Library

[38]

Ye, E., and Smith, S.: Trusted Paths for Browsers. In Proc. Usenix Security Symposium, Aug. 2002. {Online} http://www.cs.dartmouth.edu/~sws/papers/usenix02.pdf]]

Digital Library

[39]

Zurko, M.E. and Simon, R.: User-Centered Security. In Proc. Workshop on New Security Paradigms, ACM, 1996, pp. 27--33.]]

Digital Library

Cited By

Almousa MAnwar M(2023)A URL-Based Social Semantic Attacks Detection With Character-Aware Language ModelIEEE Access10.1109/ACCESS.2023.324112111(10654-10663)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3241121
Rajput ABrahimi TSarirete A(2019)Automatic Speaker Verification, ZigBee and LoRaWAN: Potential Threats and Vulnerabilities in Smart CitiesResearch & Innovation Forum 201910.1007/978-3-030-30809-4_26(277-285)Online publication date: 29-Oct-2019
https://doi.org/10.1007/978-3-030-30809-4_26
Zou YMhaidli AMcCall ASchaub F(2018)"I've got nothing to lose"Proceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291245(197-216)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291245
Show More Cited By

Index Terms

Hardening Web browsers against man-in-the-middle and eavesdropping attacks
1. Computing methodologies
  1. Computer graphics
    1. Graphics systems and interfaces
2. Human-centered computing
  1. Human computer interaction (HCI)
  2. Interaction design

Recommendations

A novel algorithm to prevent man in the middle attack in LAN environment
SpringSim '10: Proceedings of the 2010 Spring Simulation Multiconference

Secure web sites usually use HTTPS connection to secure transactions such as money transactions, online payment, and e-commerce. The use of HTTPS gives a sense of protection against attacks such as man in the middle (MITM) attack. This paper analyzes ...
HTTPS: a Phishing Attack in a Network
ICICM '17: Proceedings of the 7th International Conference on Information Communication and Management

In this paper, we discuss the possibility of finding phishing attacks even in cases where the victim sees in their web browser, the same URL as the legitimate website with the padlock and the HTTPS certificate. This attack is not easy to detect due to ...
Simple and Lightweight HTTPS Enforcement to Protect against SSL Striping Attack
CICSYN '12: Proceedings of the 2012 Fourth International Conference on Computational Intelligence, Communication Systems and Networks

SSL is a protocol for secured traffic connections. By using the SSL, HTTPS has been designed to prevent eavesdroppers and malicious users from web application services. However, man-in-the-middle attack techniques based on stripping and sniffing the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '05: Proceedings of the 14th international conference on World Wide Web

May 2005

781 pages

ISBN:1595930469

DOI:10.1145/1060745

Conference Chairs:
Allan Ellis
Southern Cross University
,
Tatsuya Hagino
Keio University

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 May 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
2,969
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Almousa MAnwar M(2023)A URL-Based Social Semantic Attacks Detection With Character-Aware Language ModelIEEE Access10.1109/ACCESS.2023.324112111(10654-10663)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3241121
Rajput ABrahimi TSarirete A(2019)Automatic Speaker Verification, ZigBee and LoRaWAN: Potential Threats and Vulnerabilities in Smart CitiesResearch & Innovation Forum 201910.1007/978-3-030-30809-4_26(277-285)Online publication date: 29-Oct-2019
https://doi.org/10.1007/978-3-030-30809-4_26
Zou YMhaidli AMcCall ASchaub F(2018)"I've got nothing to lose"Proceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291245(197-216)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291245
RajaKumaran GVenkataraman N(2016)A Systematic Mapping of Security MechanismsCombating Security Breaches and Criminal Activity in the Digital Sphere10.4018/978-1-5225-0193-0.ch013(209-232)Online publication date: 2016
https://doi.org/10.4018/978-1-5225-0193-0.ch013
Gu XGu X(2015)On the Detection of Fake Certificates via Attribute CorrelationEntropy10.3390/e1706380617:6(3806-3837)Online publication date: 8-Jun-2015
https://doi.org/10.3390/e17063806
Tan JNguyen KTheodorides MNegrón-Arroyo HThompson CEgelman SWagner DJones MPalanque PSchmidt AGrossman T(2014)The effect of developer-specified explanations for permission requests on smartphone user behaviorProceedings of the SIGCHI Conference on Human Factors in Computing Systems10.1145/2556288.2557400(91-100)Online publication date: 26-Apr-2014
https://dl.acm.org/doi/10.1145/2556288.2557400
Tse DTo DChen XHuang ZQin ZBharwaney S(2014)An Investigation of How Businesses Are Highly Influenced by Social Media SecurityMultidisciplinary Social Networks Research10.1007/978-3-662-45071-0_25(311-324)Online publication date: 2014
https://doi.org/10.1007/978-3-662-45071-0_25
Thompson CJohnson MEgelman SWagner DKing JBauer LBeznosov KCranor L(2013)When it's better to ask forgiveness than get permissionProceedings of the Ninth Symposium on Usable Privacy and Security10.1145/2501604.2501605(1-14)Online publication date: 24-Jul-2013
https://dl.acm.org/doi/10.1145/2501604.2501605
Vrakas NLambrinoudakis C(2013)An intrusion detection and prevention system for IMS and VoIP servicesInternational Journal of Information Security10.1007/s10207-012-0187-012:3(201-217)Online publication date: 1-Jun-2013
https://dl.acm.org/doi/10.1007/s10207-012-0187-0
Gates CLi NChen JProctor RZakon R(2012)CodeShieldProceedings of the 28th Annual Computer Security Applications Conference10.1145/2420950.2420992(279-288)Online publication date: 3-Dec-2012
https://dl.acm.org/doi/10.1145/2420950.2420992
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents