Trusted paths for browsers
- 1 May 2005
- journal article
- Published by Association for Computing Machinery (ACM) in ACM Transactions on Information and System Security
- Vol. 8 (2), 153-186
- https://doi.org/10.1145/1065545.1065546
Abstract
Computer security protocols usually terminate in a computer; however, the human-based services which they support usually terminate in a human. The gap between the human and the computer creates potential for security problems. We examine this gap, as it is manifested in secure Web servers. Felten et al. demonstrated the potential, in 1996, for malicious servers to impersonate honest servers. In this paper, we show how malicious servers can still do this---and can also forge the existence of an SSL session and the contents of the alleged server certificate. We then consider how to systematically defend against Web spoofing, by creating a trusted path from the browser to the human user. We present potential designs, propose a new one, prototype it in open-source Mozilla, and demonstrate its effectiveness via user studies.Keywords
This publication has 6 references indexed in Scilit:
- Cut-&-Paste Attacks with JAVALecture Notes in Computer Science, 2003
- Digital Signatures and Electronic Documents: A Cautionary TalePublished by Springer Science and Business Media LLC ,2002
- WebALPSACM SIGecom Exchanges, 2001
- Practical server privacy with secure coprocessorsIBM Systems Journal, 2001
- Protecting secret keys with personal entropyFuture Generation Computer Systems, 2000
- The nature of a useable PKIComputer Networks, 1999