Download Roy Ford

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

URL shortening wikipedia , lookup

URL redirection wikipedia , lookup

Transcript 
An Evaluation of
Extended Validation and
Picture-in-Picture
Phishing Attacks
Collin Jackson et. all
Presented by Roy Ford
Extended Validation Certificates
Enhanced Certificates
 Validate the owner of a domain
 Also validates that the owner is a
legitimate business

 Business
must be legally incorporated and
have a business address
Extended Validation
List of sites that use Verisign Extended Validation
http://www.verisign.com/ssl/ssl-information-center/ssl-case-studies/ev-ssl-customers/index.html
Picture-in-Picture



Normally, a user can tell the web page they are
on or the security of the page by looking at their
address bar or looking for a padlock
Hackers can get around this by overlaying the
browser window with a JPEG that contains a
valid URL and security indicators
JavaScript can also be used to add functionality
to the falsified page
Picture-in-Picture
http://www.technicalinfo.net/papers/images/WP.ImageOverlays.png
Study
See how people classify web sites as safe
or unsafe
 See if Extended Validation Works
 See if training on security helps people
identify bad web sites

Setup

27 participates were recruited and broken
into 3 groups
 Trained
Group
 Untrained Group
 Control Group

Each user was shown 12 web pages and
ask to classify them as legitimate or not
User Classifications

Trained group
 Shown the Extended Validation bar
 Asked to read the Internet Explorer help
file on
Extended Validation and Phishing

Untrained group
 Just
shown the Extended Validation bar, without an
explanation

Control Group
 Not shown extended validation
 Were not asked the do the tasks
that included EV
Web Site Classifications
Legitimate

Real
 The

correct bank web site
Real, but Confusing
 A real
site that when linked to gives a
warning, prompts for a password but not for a
login
 Looks fake, but it is real
Web Site Classification
Illegitimate

Homograph attack
 Subtly
different URL to attack site
(www.bankofthevvest.com)

Homograph with suspicious page warning
 A known
Homograph attack that makes IE change the
address bar to yellow

Picture-in-Picture attack
 Web
Browser is overlaid with a JPEG and JavaScript
Web Site Classification
Illegitimate

Mismatched Picture-in-Picture
 A Picture-in-Picture
attack where the colors of
the browser are different from the users
configured colors

IP address blocked by Phishing Filter
 URL
contains IP address that is known the IE
phishing filter. This forces IE to highlight the
address with Red and browse away from it
Results
Results

Trained Participants
 More
likely to classify the real confusing site
as legitimate
 Picture-in-Picture attacks more likely to
succeed
 More likely to identify real and spoofed sites
as legitimate
Results

Only 3 participants identified the 3 Picturein-Picture attacks
 Two
tried to use an un-implemented browser
feature
 One did not trust pop-ups
Browser Documentation

Authors felt that the trained users did
poorly because the browser
documentation for extended validation
gave a false sense of security
From the IE Documentation
How can I tell if I have a secure connection?
In Internet Explorer, you will see a lock icon
in the Security Status bar. The Security Status bar
is located on the right side of the Address bar.
The certificate that is used to encrypt the connection
also contains information about the identity of the
website owner or organization. You can click the
lock to view the identity of the website.
Extended Validation
Did not provide much advantage
 Untrained and Control groups did not
statistically vary in their use of the feature

Homograph Attack
Were the browser font distinguished the
two v’s in bankofthevvest, it was not
effective
 One certificate pop-up did have a poor font
in it, and the user mistakenly accepted it

Phishing Warnings
Some users did not even notice them and
marked phishing sites as legitimate
 They give a false sense of security, since
they are not 100% accurate

Picture-in-Picture

Ways to reduce
 Eliminate
pop-ups to make address field on the
browser more consistent
 Make browsers more customizable to generate more
mismatched chrome
 Teach users to validate that the browser window has
focus when it is “bright”
 Drag the window or maximize it, since the Picture-inPicture cannot be resized
Conclusion
Extended Validation and Training did not
improve the users ability to recognize
illegitimate sites
 The visual clues of Extended Validation, if
they catch on, may be countered with
Picture-in-picture attacks

Related documents
World Wide Web Basics
World Wide Web Basics
Short Course Revision - Burton Borough School
Short Course Revision - Burton Borough School
jmp_cv - Creative Wisdom
jmp_cv - Creative Wisdom
Presentation PPT
Presentation PPT
Chapter 2 The Internet and Multimedia
Chapter 2 The Internet and Multimedia
Extensive Report on Data Mining (Word Document)
Extensive Report on Data Mining (Word Document)
When you create a link, you MUST use the precise name
When you create a link, you MUST use the precise name
Disclaimer
Disclaimer
Document
Document
assignment 3 - Iain Pardoe
assignment 3 - Iain Pardoe