Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures

  • Andre Adelsbach
  • Sebastian Gajek
  • Jörg Schwenk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3439)


Today the standard means for secure transactions in the World Wide Web (WWW) are the SSL/TLS protocols, which provide secure (i.e., private and authentic) channels between browsers and servers. As protocols SSL/TLS are considered secure. However, SSL/TLS’s protection ends at the “transport/session layer” and it is up to the application (here web browsers) to preserve the security offered by SSL/TLS.

In this paper we provide evidence that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers. These attacks, known as “Visual Spoofing”, imitate certain parts of the browser’s user interface, pretending that users communicate securely with the desired service, while actually communicating with the attacker. Therefore, most SSL/TLS protected web applications can not be considered secure, due to deficiencies in browser’s user interfaces.

Furthermore, we characterise Visual Spoofing attacks and discuss why they still affect today’s WWW browsers. Finally, we introduce practical remedies, which effectively prevent these attacks and which can easily be included in current browsers or (personal) firewalls to preserve SSL/TLS’s security in web applications.


Uniform Resource Locator Secure Socket Layer Transport Layer Security Cascade Style Sheets Browser Window 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Freier, A.O., Kariton, P., Kocher, P.C.: The SSL Protocol: Version 3.0. Internet draft, Netscape Communications (1996)Google Scholar
  2. 2.
    Dierks, T., Allen, C.: The TLS protocol version 1.0. Internet Request for Comment RFC 2246, Internet Engineering Task Force, Proposed Standard (1999)Google Scholar
  3. 3.
    Schneier, B., Wagner, D.: Analysis of the SSL 3.0 protocol. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce. USENIX Press, Oakland (1996)Google Scholar
  4. 4.
    Ornaghi, A., Valleri, M.: Man in the middle attacks Demos. In: BlackHat Conference, USA (2003)Google Scholar
  5. 5.
    Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web Spoofing: An Internet Con Game. In: Proceedings of the 20th National Information Systems Security Conference, Baltimore, USA (1997)Google Scholar
  6. 6.
    Zishuang Eileen Ye, Y.Y., Smith, S.: Web Spoofing Revisited: SSL and Beyond. Technical report tr2002-417, Dartmouth PKI Lab (2002)Google Scholar
  7. 7.
    Li, T.Y., Yongdong, W.: Trust on Web Browser: Attack vs. Defense. In: Proceedings of the International Conference on Applied Cryptography and Network Security, Kunming, China (2003)Google Scholar
  8. 8.
    Herzberg, A., Gbara, A.: Protecting (even) NaiveWeb Users, or: Preventing Spoofing and Establishing Credentials of Web Sites. Internet draft, Bar Ilan University, Computer Science Department (2004)Google Scholar
  9. 9.
    Anti Phishing Working Group: Phishing Attack Trend Report – (July 2004),
  10. 10.
    Litan, A.: Phishing Victims Likely Will Suffer Identity Theft Fraud. Gartner Research Note (May 14, 2004)Google Scholar
  11. 11.
    Adelsbach, A., Gajek, S., Schwenk, J.: Visual spoofing toolbar (2004)
  12. 12.
    Adelsbach, A., Gajek, S., Schwenk, J.: Visual Spoofing Demonstrator based on DHTML (2004),, Username:visual, Password:spoofing
  13. 13.
    Heise News Ticker: eBay konnte Passwortklau nicht verhindern (December 23, 2004),
  14. 14.
    Ye, Z.E., Smith, S.: Trusted Paths for Browsers. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, USA (2002)Google Scholar
  15. 15. weak XUL security allows chrome UI spoofing (phishing attack) bug.cgi?id=252198 (2004),
  16. 16.
    Tygar, J.D., Whitten, A.: WWW Electronic Commerce and Java Trojan Horses. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce. USENIX Press, Oakland (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Andre Adelsbach
    • 1
  • Sebastian Gajek
    • 1
  • Jörg Schwenk
    • 1
  1. 1.Horst Görtz Institute for IT SecurityRuhr Universität BochumGermany

Personalised recommendations