[Owasp-cincinnati] SSL Strip?
Marco M. Morana
marco.m.morana at gmail.com
Sat Feb 21 12:04:02 EST 2009
Indeed I did some research on my own on the effectiveness of current browser
warnings and the results are discouraging, even with the new deployment of
EV SSL certificates
I think the direction you are referring to, better user interaction and
better UIs is what the industry need to work on.
This is also advocated by Amir Herberg that this very nice research on this
field. See reference to his OWASP presentation as well as some of the
studies on users ignoring warnings (*).
Up to 300 BankDirect customers were presented with a security alert when
they visited the bank's website...invalid banking cert spooks only one user
Why Phishing Works: ...The best phishing site will be able to fool 90% of
An evaluation of EV and Picture in Picture Attacks: ..EV did not help users
to identify either (picture in pic and homograph attacks.
Usability studies show that server-identification, e.g. by an image or text
displayed in the login page, can provide a modest improvement in the
detection rates of spoofed sites. We found an improvement in detection
rates, when the user was actively involved in the image selection and
display (e.g. if user must click on the image).
----- Original Message -----
From: "James Walden" <james.walden at gmail.com>
To: "Marco M. Morana" <marco.m.morana at gmail.com>
Cc: <esumerfd at bitbashers.org>; "OWASP Cincinnati"
<owasp-cincinnati at lists.owasp.org>
Sent: Saturday, February 21, 2009 10:32 AM
Subject: Re: [Owasp-cincinnati] SSL Strip?
>> The weakness is not SSL in my opinion but the fact that attacking the
>> user is
>> always the weakest ring of the chain.
> Agreed. SSLstrip is nothing new. The problem with SSL isn't the
> protocol, but the user ignoring its warnings. I don't think there's
> going to be a general solution to that, though there is enormous room
> for improvement in security user interfaces. One user study found
> that users were more likely to respond to a phishing attack if they
> received a browser warning about the certificate--they didn't read the
> error at all, but just skimmed something with the word security and
> felt reassured.
> Firefox 3's interface for handling bad certificates is much better
> than other browsers, so we might see some improvements with time.
> There are also tools like Passpet (http://passpet.org/) that greatly
> reduce the chance of user error by changing how passwords are handled
> in the browser. You can find a variety of innovative security
> interface ideas at the SOUPS conference
> James Walden
More information about the Owasp-cincinnati