Abstract
The anti-spoofing community has been intensively proposing new methods for defending against new spoofing techniques. It is still challenging for protecting naïve users from advanced spoofing attacks. In this paper, we analyze the problems within those anti-spoofing mechanisms and propose a new Automatic Detecting Security Indicator (ADSI) scheme. This paper describe the trust model in ADSI in detail firstly. In a secure transaction, ADSI may generate a random picture and embed it into the current web browser. This can be triggered by any security relevant event occurred on the browser, and then performs automatic checking on current active security status. When a mismatch of embedded images is detected, an alarm goes off to alert the users. Since an adversary is hard to replace or mimic the randomly generated picture, the web-spoofing attack can not be mounted. In comparison with existing proposals, our scheme has the weakest security assumption and places a very low burden on the computer by automating the process of detection and recognition of the web-spoofing for SSL-enabled communication. Moreover, this scheme has little intrusive on the browser. Finally, this scheme can be implemented in trusted PC at Internet Cafe requiring neither Logo Certification Authority, nor the scheme of personalization.
The first author’s work is done during her attachment to Institute for Infocomm Research under its sponsorship. This effort is partially sponsored by the National Basic Research Program (973) MOST of China under Grant No. 2003CB317003.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Freier, A.O., Kariton, P., Kocher, P.C.: The SSL Protocol: Version 3.0. Internet draft, Netscape Communications (1996)
Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (1997), http://www.cs.princeton.edu/sip/pub/spoofing.html
Citibank Corp., Learn About or Report Fraudulent E-mails (April 2004), http://www.citibank.com/domain/spoof/reportabuse.htm
Multiple Browser URI Display Obfuscation Weakness, Security Focus, (December 2003), http://www.securityfocus.com/bid/9182/discussion/
Anti-Phishing Working Group, Phishing Attack Trends Report, (March 2004), available online at, http://www.antiphishing.org/resources.htm (published, April 2004)
Ye, Z., Smith, S.: Trusted Paths for Browsers. In: Proceedings of the 11th Usenix Security Symposium (2002)
Herzberg, A., Gbara, A.: TrustBar: Protecting (evenNaive) Web Users from Spoofing and Phishing Attacks (2004), Cryptology ePrint Archive: Report 2004/155
Adelsbach, A., Gajek, S., Schwenk, J.: Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. In: Wright, A.H., Vose, M.D., De Jong, K.A., Schmitt, L.M. (eds.) FOGA 2005. LNCS, vol. 3469, pp. 204–216. Springer, Heidelberg (2005)
Li, T.-Y., Wu, Y.: Trust on web browser: Attack vs. Defense. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 241–253. Springer, Heidelberg (2003)
Tygar, J.D., Whitten, A.: WWW Electronic Commerce and Java Trojan Horses. In: Proceedings of the Second USENIX Workshop on Electronic Commerce (1996)
PassMark Security, Protecting Your Customers from Phishing Attacks- An Introduction to PassMarks, http://www.passmarksecurity.com/
Waterken Inc., Waterken YURL Trust Management for Humans, http://www.waterken.com/dev/YURL/Name/
Visa, Verified by Visa, http://www.visa.com/
Lefranc, S., Naccache, D.: Cut-&-paste attacks with JAVA. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 1–15. Springer, Heidelberg (2003)
Bauer, Anrej: Random Art, http://gs2.sp.cs.cmu.edu/art/random/
Dhamija, R., Tygar, J.D.: The Battle Against Phishing Dynamic Security Skins. In: Proceedings of the 2005 ACM Symposium on Usable Security and Privacy (July 2005)
Friedman, B., Hurley, D., Howe, D., Felten, E., Nissenbaum, H.: Users’ Conceptions of Web Security: A Comparative Study. In: CHI 2002 Extended Abstracts of the Conference on Human Factors in Computing Systems, pp. 746–747 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Qi, F., Bao, F., Li, T., Jia, W., Wu, Y. (2006). Preventing Web-Spoofing with Automatic Detecting Security Indicator. In: Chen, K., Deng, R., Lai, X., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2006. Lecture Notes in Computer Science, vol 3903. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11689522_11
Download citation
DOI: https://doi.org/10.1007/11689522_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33052-3
Online ISBN: 978-3-540-33058-5
eBook Packages: Computer ScienceComputer Science (R0)