[Owasp-leaders] Masters Thesis Proposals

Tim tim.morgan at owasp.org
Wed Feb 6 17:29:41 UTC 2013


> Next semester im going to conduct my masters thesis proposal and I'm still
> unable to decide on the topic.
> 
> my masters is in information security and digital crimes.


Consider investigating alternative methods for web and mobile
authentication.  See:  
  http://corp.galois.com/blog/2011/1/5/quick-authentication-using-mobile-devices-and-qr-codes.html

There are a number of similar proposals.  These approaches let your
smart phone be the only, or second factor of authentication.  It won't
be long before everyone who uses a computer regularly will have a
phone capable of this.  Can you improve upon the proposed protocols?
Can you show how to make this practical, or implement it in a
real-world system to learn what works and what doesn't?



Different topic: Human-computer interaction and security side effects.
How can browsers or other UIs be improved to help the average user not
*fail* when being phished?  

Examples of horrible UI designs in the past:
- The favicon in the URL bar.  Most users don't realize this comes
from the web site and not from the browser.  Make it a lock icon and
it is very convincing. (I think this is finally changing)

- HTTP authentication pop-up dialog.  It contains text from both the
site and from the browser.  Some browsers don't differentiate the two
very well, and allow for all kinds of confusing spoofing.  When pages
have numerous elements from multiple sites, it is really hard to for
users to determine which site the authentication pop-up is really
from, which can be used in phishing attacks.

So the overall question is, what kinds of guidelines should UI
developers follow to help avoid these issues?  What concrete changes
would you make to browser UIs *right now* to reduce the likelihood
that users would get phished?  Make those changes and test a group of
users.



Hope that helps,
tim


More information about the OWASP-Leaders mailing list