[Owasp-cincinnati] SSL Strip?

Marco M. Morana marco.m.morana at gmail.com
Sat Feb 21 12:04:02 EST 2009


Indeed I did some research on my own on the effectiveness of current browser 
warnings and the results are discouraging, even with the new deployment of 
EV SSL certificates
I think the direction you are referring to, better user interaction and 
better UIs is what the industry need to work on.
This is also advocated by Amir Herberg that this very nice research on this 
field. See reference to his OWASP presentation as well as some of the 
studies on users ignoring warnings (*).

Marco

(*)
Up to 300 BankDirect customers were presented with a security alert when 
they visited the bank's website...invalid banking cert spooks only one user 
in 300:
http://computerworld.co.nz/news.nsf/UNID/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld

Why Phishing Works: ...The best phishing site will be able to fool 90% of 
participants...
http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf

An evaluation of EV and Picture in Picture Attacks: ..EV did not help users 
to identify either (picture in pic and homograph attacks.
http://www.usablesecurity.org/papers/jackson.pdf

Usability studies show that server-identification, e.g. by an image or text 
displayed in the login page, can provide a modest improvement in the 
detection rates of spoofed sites. We found an improvement in detection 
rates, when the user was actively involved in the image selection and 
display (e.g. if user must click on the image).
http://www.owasp.org/index.php/OWASP_Israel_2008_Conference_Amir_Herzberg


----- Original Message ----- 
From: "James Walden" <james.walden at gmail.com>
To: "Marco M. Morana" <marco.m.morana at gmail.com>
Cc: <esumerfd at bitbashers.org>; "OWASP Cincinnati" 
<owasp-cincinnati at lists.owasp.org>
Sent: Saturday, February 21, 2009 10:32 AM
Subject: Re: [Owasp-cincinnati] SSL Strip?


>> The weakness is not SSL in my opinion but the fact that attacking the 
>> user is
>> always the weakest ring of the chain.
>
> Agreed.  SSLstrip is nothing new.  The problem with SSL isn't the
> protocol, but the user ignoring its warnings.  I don't think there's
> going to be a general solution to that, though there is enormous room
> for improvement in security user interfaces.  One user study found
> that users were more likely to respond to a phishing attack if they
> received a browser warning about the certificate--they didn't read the
> error at all, but just skimmed something with the word security and
> felt reassured.
>
> Firefox 3's interface for handling bad certificates is much better
> than other browsers, so we might see some improvements with time.
> There are also tools like Passpet (http://passpet.org/) that greatly
> reduce the chance of user error by changing how passwords are handled
> in the browser.  You can find a variety of innovative security
> interface ideas at the SOUPS conference
> (http://cups.cs.cmu.edu/soups/).
>
> James Walden
> http://faculty.cs.nku.edu/~waldenj/ 



More information about the Owasp-cincinnati mailing list