Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?
Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.
- Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?
- Book Title
- Information Security
- Book Subtitle
- 15th International Conference, ISC 2012, Passau, Germany, September 19-21, 2012. Proceedings
- pp 86-103
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 16. Institute of Security in Distributed Applications, University of Technology
- 17. Department of Computer Science, University of Erlangen-Nürnberg
- Author Affiliations
- 18. Georgia Tech Information Security Center (GTISC), Georgia Institute of Technology, USA
- 19. School of Computer Science, Carleton University, Ottawa, Canada
To view the rest of this content please follow the download PDF link above.