Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?

  • Chaitrali Amrutkar
  • Patrick Traynor
  • Paul C. van Oorschot
Conference paper

DOI: 10.1007/978-3-642-33383-5_6

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)
Cite this paper as:
Amrutkar C., Traynor P., van Oorschot P.C. (2012) Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road?. In: Gollmann D., Freiling F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg

Abstract

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Chaitrali Amrutkar
    • 1
  • Patrick Traynor
    • 1
  • Paul C. van Oorschot
    • 2
  1. 1.Georgia Tech Information Security Center (GTISC)Georgia Institute of TechnologyUSA
  2. 2.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations