Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?

  • Chaitrali Amrutkar
  • Patrick Traynor
  • Paul C. van Oorschot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)

Abstract

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
    Key words for use in RFCs to Indicate Requirement Levels (March 1997), http://www.ietf.org/rfc/rfc2119.txt
  4. 4.
  5. 5.
    Guidelines for the Processing of EV Certificates, version 1.0 (January 2009), http://www.cabforum.org/Guidelines_for_the_processing_of_EV_certificatesv1_0.pdf
  6. 6.
    SSLstrip, presented at Black Hat DC (2009), http://www.thoughtcrime.org/software/sslstrip/
  7. 7.
  8. 8.
    Guidelines for the Issuance and Management of Extended Validation Certificates, version 1.3 (November 20, 2010), http://www.cabforum.org/Guidelines_v1_3.pdf
  9. 9.
    W3C: Web Security Context: User Interface Guidelines (August 2010), http://www.w3.org/TR/wsc-ui/
  10. 10.
  11. 11.
    Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, version 1.0 (April 11, 2011), http://www.cabforum.org/Announcement-Baseline_Requirements.pdf
  12. 12.
  13. 13.
  14. 14.
    The CA/Browser forum (April 11, 2011), http://www.cabforum.org/
  15. 15.
    Android OS market share by version (May 2012), http://developer.android.com/resources/dashboard/platform-versions.html
  16. 16.
  17. 17.
    Biddle, R., van Oorschot, P., Patrick, A., Sobey, J., Whalen, T.: Browser interfaces and extended validation SSL certificates: an empirical study. In: Proceedings of the ACM Workshop on Cloud Computing Security (2009)Google Scholar
  18. 18.
    Boodaei, M.: Mobile users three times more vulnerable to phishing attacks (2011), http://www.trusteer.com/blog/mobile-users-three-times-more-vulnerable-phishing-attacks
  19. 19.
    Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.: Client-side defense against web-based identity theft. In: Proc. NDSS (2004)Google Scholar
  20. 20.
    Davies, C.: iPhone Os Safari Vulnerable To DoS Attacks (April 16, 2008), http://www.iphonebuzz.com/iphone-safari-dos-bug-discovered-162212.php
  21. 21.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2006)Google Scholar
  22. 22.
    Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of the Symposium on Usable Privacy and Security (2005)Google Scholar
  23. 23.
    Downs, J., Holbrook, M., Cranor, L.: Decision strategies and susceptibility to phishing. In: Proceedings of the Second Symposium on Usable Privacy and Security (2006)Google Scholar
  24. 24.
    Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Intrusion Detection Prevention Web Spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (1997)Google Scholar
  25. 25.
    Friedman, B., Hurley, D., Howe, D., Felten, E., Nissenbaum, H.: Users’ conceptions of web security: a comparative study. In: CHI Extended Abstracts on Human Factors in Computing Systems (2002)Google Scholar
  26. 26.
    Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Transactions on Internet Technology (2008)Google Scholar
  27. 27.
    Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    Livshits, B., Molnar, D.: Empowering Browser Security for Mobile Devices Using Smart CDNs. In: Proceedings of the Workshop on Web 2.0 Security and Privacy, W2SP (2010)Google Scholar
  29. 29.
    Marlinspike, M.: More Tricks For Defeating SSL in Practice (2009), http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
  30. 30.
    Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: Usability, Psychology, and Security (2008)Google Scholar
  31. 31.
    Porter Felt, A., Wagner, D.: Phishing on mobile devices. In: Web 2.0 Security and Privay (2011)Google Scholar
  32. 32.
    Resig, J.: iPhone overflow clickjacking (November 2008), http://ejohn.org/blog/clickjacking-iphone-attack/
  33. 33.
    Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
  34. 34.
    Sobey, J., Biddle, R., van Oorschot, P.C., Patrick, A.S.: Exploring User Reactions to New Browser Cues for Extended Validation Certificates. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 411–427. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Stebila, D.: Reinforcing bad behaviour: the misuse of security indicators on popular websites. In: Proceedings of the 22nd Conference of the Computer-Human Interaction Special Interest Group of Australia on Computer-Human Interaction (2010)Google Scholar
  36. 36.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: 18th USENIX Security Symposium Crying Wolf: An Empirical Study of SSL Warning Effectiveness. Work (2009)Google Scholar
  37. 37.
    Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, J.P.: The inconvenient truth about web certificates. In: The Workshop on Economics of Information Security, WEIS (2011)Google Scholar
  38. 38.
    Whalen, T., Inkpen, K.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface (2005)Google Scholar
  39. 39.
    Ye, Z.E., Smith, S., Anthony, D.: Trusted paths for browsers. ACM Transactions on Information and System Security (TISSEC) (May 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Chaitrali Amrutkar
    • 1
  • Patrick Traynor
    • 1
  • Paul C. van Oorschot
    • 2
  1. 1.Georgia Tech Information Security Center (GTISC)Georgia Institute of TechnologyUSA
  2. 2.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations