[Owasp-leaders] Masters Thesis Proposals

Ala'a Mubaied alaa.mubaied at owasp.org
Thu Feb 7 09:16:49 UTC 2013

Thank you guys very much,

Venkatesh Jagannathan, Jason Johnson, Konstantinos Papapanagiotou, Carlos
Serrao, Adrian Winckles, Dave Wichers, and Tim really thanks .

I'm a pen tester focusing mainly on web and mobile penetration testing

I'll need to go through each reply separately during the weekend time and
will decide on the topic and contact you.

I'll keep you posted ... but i was astonished with the great ideas that you
guys have proposed :)

appreciated .

On Wed, Feb 6, 2013 at 8:29 PM, Tim <tim.morgan at owasp.org> wrote:

> > Next semester im going to conduct my masters thesis proposal and I'm
> still
> > unable to decide on the topic.
> >
> > my masters is in information security and digital crimes.
> Consider investigating alternative methods for web and mobile
> authentication.  See:
> http://corp.galois.com/blog/2011/1/5/quick-authentication-using-mobile-devices-and-qr-codes.html
> There are a number of similar proposals.  These approaches let your
> smart phone be the only, or second factor of authentication.  It won't
> be long before everyone who uses a computer regularly will have a
> phone capable of this.  Can you improve upon the proposed protocols?
> Can you show how to make this practical, or implement it in a
> real-world system to learn what works and what doesn't?
> Different topic: Human-computer interaction and security side effects.
> How can browsers or other UIs be improved to help the average user not
> *fail* when being phished?
> Examples of horrible UI designs in the past:
> - The favicon in the URL bar.  Most users don't realize this comes
> from the web site and not from the browser.  Make it a lock icon and
> it is very convincing. (I think this is finally changing)
> - HTTP authentication pop-up dialog.  It contains text from both the
> site and from the browser.  Some browsers don't differentiate the two
> very well, and allow for all kinds of confusing spoofing.  When pages
> have numerous elements from multiple sites, it is really hard to for
> users to determine which site the authentication pop-up is really
> from, which can be used in phishing attacks.
> So the overall question is, what kinds of guidelines should UI
> developers follow to help avoid these issues?  What concrete changes
> would you make to browser UIs *right now* to reduce the likelihood
> that users would get phished?  Make those changes and test a group of
> users.
> Hope that helps,
> tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130207/5f934dc1/attachment.html>

More information about the OWASP-Leaders mailing list