skip to main content
10.1145/1378600.1378612acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
research-article

Enhancing web browsing security on public terminals using mobile composition

Published: 17 June 2008 Publication History

Abstract

This paper presents an architecture that affords mobile users greater trust and security when browsing the internet (e.g., when making personal/financial transactions) from public terminals at Internet Cafes or other unfamiliar locations. This is achieved by enabling web applications to split their client-side pages across a pair of browsers: one untrusted browser running on a public PC and one trusted browser running on the user's personal mobile device, composed into a single logical interface through a local connection, wired or wireless. Information entered via the personal device's keypad cannot be read by the PC, thwarting PC-based key-loggers. Similarly, information displayed on the personal device's screen is also hidden from the PC, preserving the confidentiality and integrity of security-critical data even in the presence of screen grabbing attacks and compromised PC browsers. We present a security policy model for split-trust web applications that defends against a range of crimeware-based attacks, including those based on active-injection (e.g. inserting malicious packets into the network or spoofing user-input events). Performance results of a prototype split-trust implementation are presented, using a commercially available cell phone as a trusted personal device.

References

[1]
ALVES, T., AND FELTON, D. TrustZone: Integrated hardware and software security, July 2004. ARM White Paper.
[2]
ANDERSON, R., Trusted Computing FAQ. Available at: http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html
[3]
ANDERSON, R., STAJANO, F., AND LEE, J.-H. Security policies. In Advances in Computers vol 55 (2001), Academic Press.
[4]
ANTI-PHISHING WORKING GROUP (APWG). Phishing activity trends report, June 2005. http://antiphishing.org/.
[5]
ANTI-PHISHING WORKING GROUP (APWG) expands online identity theft charter. Aug. 3rd 2005 edition of Business Wire. Available at: http://www.businesswire.com/.
[6]
BALFANZ, D., AND FELTON, E. Hand-held computers can be better smart cards. In Proceedings of USENIX Security (1999).
[7]
BBC NEWS: First mobile phone virus created: At http://news.bbc.co.uk/1/hi/technology/3809855.htm.
[8]
BLUETOOTH SPECIFICATION VERSION 1.1. Available at: http://www.bluetooth.com/.
[9]
BOSWELL, D., KING, B., OESCHGER, I., COLLINS, P., AND MURPHY, E. Creating Applications with Mozilla. O'Reilly, 2002.
[10]
CHOWN, P. Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). RFC 3268.
[11]
COLE, B. Intel hardwires security in new mobile IA PXA27x CPU family. http://iapplianc-web.com/story/OEG20040412N0006BC.htm.
[12]
DIERKS, T. The TLS protocol, IETF Network Working Group RFC 2246, January 1999.
[13]
FLANAGAN, D. JavaScript: The Definitive Guide. O'Reilly, 2002.
[14]
GARRISS, S., CACERES, R., BERGER, S., SAILER, R., VAN DOORN, L., and ZHANG, X., "Towards Trustworthy Kiosk Computing", Proc. of IEEE HotMobile 2007
[15]
HARKINS, D., AND CARREL, D. The Internet Key Exchange. RFC 2409.
[16]
JOSEFSSON, S. The Base16, Base32, and Base64 data encodings. RFC 3548.
[17]
KAMADA, T. Compact HTML for small information appliances, 1998. W3C Note: Available: http://www.w3.org/TR/1998/NOTEcopactHTML19980209/
[18]
LECLAIRE, J. Pharming and SPIM plaguing Internet. 4th June 2005. TechNewsWorld. At http://www.technewsworld.com/story/news/42054.html.
[19]
LEYDEN, J. UK police issue "vicious" Trojan alert. 13th August 2004. The Register. Available from http://www.theregister.co.uk/2004/08/13/trojan phish/.
[20]
McCUNE, J., PERRIG, A., REITER, M. Bump in the ether: a framework for securing sensitive user input. In Proceedings of USENIX 2006. USENIX Association.
[21]
MYERS, B. A. Using handhelds and PCs together. Communication of the ACM 44, 11 (2001), pp. 34--41.
[22]
NARAYANASWAMI, C., RAGHUNATH, M. T., KAMIJOH, N., AND INOUE, T. What would you do with 100 MIPS on your wrist? Tech. Rep. RC 22057 (98634), IBM Research, January 2001.
[23]
OPREA, A., BALFANZ, D., DURFEE, G., AND SMETTERS, D. Securing a remote terminal application with a mobile trusted device. In Proceedings of ACSA 2004. Available at: http://www.acsa-admin.org/.
[24]
PERING, T., AND KOZUCH, M. Situated mobility: Using situated displays to support mobile activities. In Public and Situated Displays: Social and Interactional Aspects of Shared Display Technologies (2003), Kluwer.
[25]
RAGHUNATH, M., NARAYANASWAMI, C., AND PINHANEZ, C. Fostering a symbiotic handheld environment. Computer 36, 9 (2003), pp. 56--65.
[26]
ROSS, B., JACKSON, C., MIYAKE, N., BONEH, D., AND MITCHELL, J. C. Stronger password authentication using browser extensions. In Proc. of the USENIX Security Symposium (2005), USENIX association.
[27]
ROSS, S. J., HILL, J. L., CHEN, M. Y., JOSEPH, A. D., CULLER, D. E., AND BREWER, E. A. A composable framework for secure multi-modal access to Internet services from Post-PC devices. Mobile. Network Applications. 7, 5 (2002), 389--406.
[28]
SCHNEIER, B. Applied cryptography: protocols, algorithms, and sourcecode in C. John Wiley & Sons, New York, 1994.
[29]
SHARP, R., SCOTT, J., AND BERESFORD, A. Secure mobile computing via public terminals. Proceedings of Pervasive 2006. Springer-Verlag.
[30]
SOPHOS PRESS RELEASE. UK online bank accounts put at risk by new trojan. Available from http://www.sophos.com/virusinfo/articles/ukbanktrojan.html.
[31]
WANT, R., PERING, T., DANNEELS, G., KUMAR, M., SUNDAR, M., & LIGHT, J. The personal server: Changing the way we think about ubiquitous computing. Proc. 4th Int. Conf. on Ubiquitous Computing, 2002, pp. 194--209. Goteburg, Sweden, Springer LNCS 2498.
[32]
YLONEN, T. SSH transport layer protocol. RFC 4253.
[33]
XMLHTTP.Available at: http://en.wikipedia.org/wiki/XMLHttpRequest.

Cited By

View all
  • (2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
  • (2023)MousePath: Lightweight phone-to-web information sharing via mouse interfacePervasive and Mobile Computing10.1016/j.pmcj.2023.10175690(101756)Online publication date: Mar-2023
  • (2019)SwitchMan: An Easy-to-Use Approach to Secure User Input and Output2019 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2019.00029(105-113)Online publication date: May-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MobiSys '08: Proceedings of the 6th international conference on Mobile systems, applications, and services
June 2008
304 pages
ISBN:9781605581392
DOI:10.1145/1378600
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 June 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. crimeware
  2. phishing
  3. split-trust
  4. trusted personal device
  5. user interface design

Qualifiers

  • Research-article

Conference

Mobisys08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
  • (2023)MousePath: Lightweight phone-to-web information sharing via mouse interfacePervasive and Mobile Computing10.1016/j.pmcj.2023.10175690(101756)Online publication date: Mar-2023
  • (2019)SwitchMan: An Easy-to-Use Approach to Secure User Input and Output2019 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2019.00029(105-113)Online publication date: May-2019
  • (2018)Automated identification of sensitive data from implicit user specificationCybersecurity10.1186/s42400-018-0011-x1:1Online publication date: 29-Sep-2018
  • (2018)Automated Identification of Sensitive Data via Flexible User RequirementsSecurity and Privacy in Communication Networks10.1007/978-3-030-01701-9_9(151-171)Online publication date: 29-Dec-2018
  • (2017)Security in User Interfaces Distributed Amongst Dynamic Sets of Devices and UsersCollaboration Meets Interactive Spaces10.1007/978-3-319-45853-3_16(373-389)Online publication date: 10-Jan-2017
  • (2014)Is Anyone Looking? Mitigating Shoulder Surfing on Public Displays through Awareness and ProtectionProceedings of The International Symposium on Pervasive Displays10.1145/2611009.2611028(1-6)Online publication date: 3-Jun-2014
  • (2013)Interaction techniques for creating and exchanging content with public displaysProceedings of the SIGCHI Conference on Human Factors in Computing Systems10.1145/2470654.2466226(1709-1718)Online publication date: 27-Apr-2013
  • (2013)Device-based Isolation for Securing Cryptographic KeysProcedia Computer Science10.1016/j.procs.2013.06.16019(1130-1135)Online publication date: 2013
  • (2012)Security in migratory interactive web applicationsProceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia10.1145/2406367.2406386(1-10)Online publication date: 4-Dec-2012
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media