[Owasp-leaders] Masters Thesis Proposals

Ala'a Mubaied alaa.mubaied at owasp.org
Thu Feb 7 09:16:49 UTC 2013


Thank you guys very much,

Venkatesh Jagannathan, Jason Johnson, Konstantinos Papapanagiotou, Carlos
Serrao, Adrian Winckles, Dave Wichers, and Tim really thanks .

I'm a pen tester focusing mainly on web and mobile penetration testing
(IOS/Android).

I'll need to go through each reply separately during the weekend time and
will decide on the topic and contact you.

I'll keep you posted ... but i was astonished with the great ideas that you
guys have proposed :)

appreciated .
Ala'a


On Wed, Feb 6, 2013 at 8:29 PM, Tim <tim.morgan at owasp.org> wrote:

> > Next semester im going to conduct my masters thesis proposal and I'm
> still
> > unable to decide on the topic.
> >
> > my masters is in information security and digital crimes.
>
>
> Consider investigating alternative methods for web and mobile
> authentication.  See:
>
> http://corp.galois.com/blog/2011/1/5/quick-authentication-using-mobile-devices-and-qr-codes.html
>
> There are a number of similar proposals.  These approaches let your
> smart phone be the only, or second factor of authentication.  It won't
> be long before everyone who uses a computer regularly will have a
> phone capable of this.  Can you improve upon the proposed protocols?
> Can you show how to make this practical, or implement it in a
> real-world system to learn what works and what doesn't?
>
>
>
> Different topic: Human-computer interaction and security side effects.
> How can browsers or other UIs be improved to help the average user not
> *fail* when being phished?
>
> Examples of horrible UI designs in the past:
> - The favicon in the URL bar.  Most users don't realize this comes
> from the web site and not from the browser.  Make it a lock icon and
> it is very convincing. (I think this is finally changing)
>
> - HTTP authentication pop-up dialog.  It contains text from both the
> site and from the browser.  Some browsers don't differentiate the two
> very well, and allow for all kinds of confusing spoofing.  When pages
> have numerous elements from multiple sites, it is really hard to for
> users to determine which site the authentication pop-up is really
> from, which can be used in phishing attacks.
>
> So the overall question is, what kinds of guidelines should UI
> developers follow to help avoid these issues?  What concrete changes
> would you make to browser UIs *right now* to reduce the likelihood
> that users would get phished?  Make those changes and test a group of
> users.
>
>
>
> Hope that helps,
> tim
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130207/5f934dc1/attachment.html>


More information about the OWASP-Leaders mailing list